Edit tour

Windows Analysis Report
s2Jg1MAahY.exe

Overview

General Information

Sample name:	s2Jg1MAahY.exe renamed because original name is a hash value
Original sample name:	130c869f7ce90b4dd45a1192c8cb13aa8e3f986ab29fb9f446475e2030a2d2ec.exe
Analysis ID:	1587906
MD5:	6239c4047e0f1c4f55a96199e77d3669
SHA1:	7967d09a6357dfb6abbd99963dbcf9ee46b50bd9
SHA256:	130c869f7ce90b4dd45a1192c8cb13aa8e3f986ab29fb9f446475e2030a2d2ec
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to many ports of the same IP (likely port scanning)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

s2Jg1MAahY.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\s2Jg1MAahY.exe" MD5: 6239C4047E0F1C4F55A96199E77D3669)

powershell.exe (PID: 7708 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\s2Jg1MAahY.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7760 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GedTanqRR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7296 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7780 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

s2Jg1MAahY.exe (PID: 7948 cmdline: "C:\Users\user\Desktop\s2Jg1MAahY.exe" MD5: 6239C4047E0F1C4F55A96199E77D3669)

GedTanqRR.exe (PID: 8088 cmdline: C:\Users\user\AppData\Roaming\GedTanqRR.exe MD5: 6239C4047E0F1C4F55A96199E77D3669)

schtasks.exe (PID: 3512 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpE4A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

GedTanqRR.exe (PID: 7436 cmdline: "C:\Users\user\AppData\Roaming\GedTanqRR.exe" MD5: 6239C4047E0F1C4F55A96199E77D3669)

sgxIb.exe (PID: 7260 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 6239C4047E0F1C4F55A96199E77D3669)

schtasks.exe (PID: 7528 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmp30F5.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sgxIb.exe (PID: 7704 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 6239C4047E0F1C4F55A96199E77D3669)

sgxIb.exe (PID: 7960 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 6239C4047E0F1C4F55A96199E77D3669)

sgxIb.exe (PID: 8184 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 6239C4047E0F1C4F55A96199E77D3669)

schtasks.exe (PID: 7748 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmp50A2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sgxIb.exe (PID: 5472 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 6239C4047E0F1C4F55A96199E77D3669)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000019.00000002.2977002334.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000002.2977002334.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000019.00000002.2977002334.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1773872051.0000000004A92000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1773872051.0000000004A92000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1854063501.0000000004C3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1854063501.0000000004C3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2977044627.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2977044627.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.2976437638.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2976437638.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.1918087486.0000000005023000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.1918087486.0000000005023000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.2978687835.000000000335C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2977044627.00000000032CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.2976437638.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.2978687835.0000000003331000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.2978687835.0000000003331000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1854063501.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1854063501.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: s2Jg1MAahY.exe PID: 7516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: s2Jg1MAahY.exe PID: 7516	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: s2Jg1MAahY.exe PID: 7516	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: s2Jg1MAahY.exe PID: 7948	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: s2Jg1MAahY.exe PID: 7948	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: GedTanqRR.exe PID: 8088	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: GedTanqRR.exe PID: 8088	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: GedTanqRR.exe PID: 8088	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: GedTanqRR.exe PID: 7436	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: GedTanqRR.exe PID: 7436	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: sgxIb.exe PID: 7260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: sgxIb.exe PID: 7260	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: sgxIb.exe PID: 7260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: sgxIb.exe PID: 7960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: sgxIb.exe PID: 7960	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: sgxIb.exe PID: 8184	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: sgxIb.exe PID: 5472	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: sgxIb.exe PID: 5472	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 33 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.sgxIb.exe.505fdb0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.sgxIb.exe.505fdb0.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.sgxIb.exe.505fdb0.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3317c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x331ee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33278:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3330a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33374:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x333e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3347c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3350c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
15.2.sgxIb.exe.505fdb0.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30370:$s2: GetPrivateProfileString 0x2f9fa:$s3: get_OSFullName 0x3116b:$s5: remove_Key 0x31357:$s5: remove_Key 0x32275:$s6: FtpWebRequest 0x3315e:$s7: logins 0x336d0:$s7: logins 0x36427:$s7: logins 0x36493:$s7: logins 0x37f12:$s7: logins 0x3702d:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.GedTanqRR.exe.4c3d218.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.GedTanqRR.exe.4c3d218.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.GedTanqRR.exe.4c3d218.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3317c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x331ee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33278:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3330a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33374:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x333e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3347c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3350c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.GedTanqRR.exe.4c3d218.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30370:$s2: GetPrivateProfileString 0x2f9fa:$s3: get_OSFullName 0x3116b:$s5: remove_Key 0x31357:$s5: remove_Key 0x32275:$s6: FtpWebRequest 0x3315e:$s7: logins 0x336d0:$s7: logins 0x36427:$s7: logins 0x36493:$s7: logins 0x37f12:$s7: logins 0x3702d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.s2Jg1MAahY.exe.4aceda0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.s2Jg1MAahY.exe.4aceda0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.s2Jg1MAahY.exe.4aceda0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34f7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x7159c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34fee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x7160e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35078:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x71698:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3510a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x7172a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35174:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x71794:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x351e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x71806:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3527c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x7189c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3530c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x7192c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.s2Jg1MAahY.exe.4aceda0.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32170:$s2: GetPrivateProfileString 0x6e790:$s2: GetPrivateProfileString 0x317fa:$s3: get_OSFullName 0x6de1a:$s3: get_OSFullName 0x32f6b:$s5: remove_Key 0x33157:$s5: remove_Key 0x6f58b:$s5: remove_Key 0x6f777:$s5: remove_Key 0x34075:$s6: FtpWebRequest 0x70695:$s6: FtpWebRequest 0x34f5e:$s7: logins 0x354d0:$s7: logins 0x38227:$s7: logins 0x38293:$s7: logins 0x39d12:$s7: logins 0x7157e:$s7: logins 0x71af0:$s7: logins 0x74847:$s7: logins 0x748b3:$s7: logins 0x76332:$s7: logins 0x38e2d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.s2Jg1MAahY.exe.4a92580.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.s2Jg1MAahY.exe.4a92580.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.s2Jg1MAahY.exe.4a92580.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34f7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x7179c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaddbc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34fee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x7180e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xade2e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35078:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x71898:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xadeb8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3510a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x7192a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xadf4a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35174:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x71994:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xadfb4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x351e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x71a06:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xae026:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3527c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x71a9c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xae0bc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.s2Jg1MAahY.exe.4a92580.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32170:$s2: GetPrivateProfileString 0x6e990:$s2: GetPrivateProfileString 0xaafb0:$s2: GetPrivateProfileString 0x317fa:$s3: get_OSFullName 0x6e01a:$s3: get_OSFullName 0xaa63a:$s3: get_OSFullName 0x32f6b:$s5: remove_Key 0x33157:$s5: remove_Key 0x6f78b:$s5: remove_Key 0x6f977:$s5: remove_Key 0xabdab:$s5: remove_Key 0xabf97:$s5: remove_Key 0x34075:$s6: FtpWebRequest 0x70895:$s6: FtpWebRequest 0xaceb5:$s6: FtpWebRequest 0x34f5e:$s7: logins 0x354d0:$s7: logins 0x38227:$s7: logins 0x38293:$s7: logins 0x39d12:$s7: logins 0x7177e:$s7: logins
9.2.GedTanqRR.exe.4c79a38.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.GedTanqRR.exe.4c79a38.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.GedTanqRR.exe.4c79a38.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34f7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34fee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35078:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3510a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35174:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x351e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3527c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3530c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.GedTanqRR.exe.4c79a38.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32170:$s2: GetPrivateProfileString 0x317fa:$s3: get_OSFullName 0x32f6b:$s5: remove_Key 0x33157:$s5: remove_Key 0x34075:$s6: FtpWebRequest 0x34f5e:$s7: logins 0x354d0:$s7: logins 0x38227:$s7: logins 0x38293:$s7: logins 0x39d12:$s7: logins 0x38e2d:$s9: 1.85 (Hash, version 2, native byte-order)
15.2.sgxIb.exe.5023590.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.sgxIb.exe.5023590.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.sgxIb.exe.5023590.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34f7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x7179c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaddbc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34fee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x7180e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xade2e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35078:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x71898:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xadeb8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3510a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x7192a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xadf4a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35174:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x71994:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xadfb4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x351e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x71a06:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xae026:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3527c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x71a9c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xae0bc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
15.2.sgxIb.exe.5023590.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32170:$s2: GetPrivateProfileString 0x6e990:$s2: GetPrivateProfileString 0xaafb0:$s2: GetPrivateProfileString 0x317fa:$s3: get_OSFullName 0x6e01a:$s3: get_OSFullName 0xaa63a:$s3: get_OSFullName 0x32f6b:$s5: remove_Key 0x33157:$s5: remove_Key 0x6f78b:$s5: remove_Key 0x6f977:$s5: remove_Key 0xabdab:$s5: remove_Key 0xabf97:$s5: remove_Key 0x34075:$s6: FtpWebRequest 0x70895:$s6: FtpWebRequest 0xaceb5:$s6: FtpWebRequest 0x34f5e:$s7: logins 0x354d0:$s7: logins 0x38227:$s7: logins 0x38293:$s7: logins 0x39d12:$s7: logins 0x7177e:$s7: logins
0.2.s2Jg1MAahY.exe.4aceda0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.s2Jg1MAahY.exe.4aceda0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.sgxIb.exe.5023590.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.sgxIb.exe.5023590.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.s2Jg1MAahY.exe.4aceda0.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3317c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x331ee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33278:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3330a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33374:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x333e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3347c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3350c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.s2Jg1MAahY.exe.4aceda0.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30370:$s2: GetPrivateProfileString 0x2f9fa:$s3: get_OSFullName 0x3116b:$s5: remove_Key 0x31357:$s5: remove_Key 0x32275:$s6: FtpWebRequest 0x3315e:$s7: logins 0x336d0:$s7: logins 0x36427:$s7: logins 0x36493:$s7: logins 0x37f12:$s7: logins 0x3702d:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.GedTanqRR.exe.4c79a38.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.GedTanqRR.exe.4c79a38.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.sgxIb.exe.5023590.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3317c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x331ee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33278:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3330a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33374:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x333e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3347c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3350c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
15.2.sgxIb.exe.5023590.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30370:$s2: GetPrivateProfileString 0x2f9fa:$s3: get_OSFullName 0x3116b:$s5: remove_Key 0x31357:$s5: remove_Key 0x32275:$s6: FtpWebRequest 0x3315e:$s7: logins 0x336d0:$s7: logins 0x36427:$s7: logins 0x36493:$s7: logins 0x37f12:$s7: logins 0x3702d:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.GedTanqRR.exe.4c79a38.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3317c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x331ee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33278:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3330a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33374:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x333e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3347c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3350c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.GedTanqRR.exe.4c79a38.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30370:$s2: GetPrivateProfileString 0x2f9fa:$s3: get_OSFullName 0x3116b:$s5: remove_Key 0x31357:$s5: remove_Key 0x32275:$s6: FtpWebRequest 0x3315e:$s7: logins 0x336d0:$s7: logins 0x36427:$s7: logins 0x36493:$s7: logins 0x37f12:$s7: logins 0x3702d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.s2Jg1MAahY.exe.4a92580.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.s2Jg1MAahY.exe.4a92580.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.s2Jg1MAahY.exe.4a92580.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3317c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x331ee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33278:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3330a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33374:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x333e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3347c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3350c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.s2Jg1MAahY.exe.4a92580.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30370:$s2: GetPrivateProfileString 0x2f9fa:$s3: get_OSFullName 0x3116b:$s5: remove_Key 0x31357:$s5: remove_Key 0x32275:$s6: FtpWebRequest 0x3315e:$s7: logins 0x336d0:$s7: logins 0x36427:$s7: logins 0x36493:$s7: logins 0x37f12:$s7: logins 0x3702d:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.GedTanqRR.exe.4c3d218.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.GedTanqRR.exe.4c3d218.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.GedTanqRR.exe.4c3d218.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34f7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x7179c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34fee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x7180e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35078:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x71898:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3510a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x7192a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35174:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x71994:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x351e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x71a06:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3527c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x71a9c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3530c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x71b2c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.GedTanqRR.exe.4c3d218.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32170:$s2: GetPrivateProfileString 0x6e990:$s2: GetPrivateProfileString 0x317fa:$s3: get_OSFullName 0x6e01a:$s3: get_OSFullName 0x32f6b:$s5: remove_Key 0x33157:$s5: remove_Key 0x6f78b:$s5: remove_Key 0x6f977:$s5: remove_Key 0x34075:$s6: FtpWebRequest 0x70895:$s6: FtpWebRequest 0x34f5e:$s7: logins 0x354d0:$s7: logins 0x38227:$s7: logins 0x38293:$s7: logins 0x39d12:$s7: logins 0x7177e:$s7: logins 0x71cf0:$s7: logins 0x74a47:$s7: logins 0x74ab3:$s7: logins 0x76532:$s7: logins 0x38e2d:$s9: 1.85 (Hash, version 2, native byte-order)
15.2.sgxIb.exe.505fdb0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.sgxIb.exe.505fdb0.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.sgxIb.exe.505fdb0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34f7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x7159c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34fee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x7160e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35078:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x71698:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3510a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x7172a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35174:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x71794:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x351e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x71806:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3527c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x7189c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3530c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x7192c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
15.2.sgxIb.exe.505fdb0.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32170:$s2: GetPrivateProfileString 0x6e790:$s2: GetPrivateProfileString 0x317fa:$s3: get_OSFullName 0x6de1a:$s3: get_OSFullName 0x32f6b:$s5: remove_Key 0x33157:$s5: remove_Key 0x6f58b:$s5: remove_Key 0x6f777:$s5: remove_Key 0x34075:$s6: FtpWebRequest 0x70695:$s6: FtpWebRequest 0x34f5e:$s7: logins 0x354d0:$s7: logins 0x38227:$s7: logins 0x38293:$s7: logins 0x39d12:$s7: logins 0x7157e:$s7: logins 0x71af0:$s7: logins 0x74847:$s7: logins 0x748b3:$s7: logins 0x76332:$s7: logins 0x38e2d:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 43 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\s2Jg1MAahY.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\s2Jg1MAahY.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\s2Jg1MAahY.exe", ParentImage: C:\Users\user\Desktop\s2Jg1MAahY.exe, ParentProcessId: 7516, ParentProcessName: s2Jg1MAahY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\s2Jg1MAahY.exe", ProcessId: 7708, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\s2Jg1MAahY.exe, ProcessId: 7948, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sgxIb

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpE4A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpE4A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\GedTanqRR.exe, ParentImage: C:\Users\user\AppData\Roaming\GedTanqRR.exe, ParentProcessId: 8088, ParentProcessName: GedTanqRR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpE4A.tmp", ProcessId: 3512, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\s2Jg1MAahY.exe", ParentImage: C:\Users\user\Desktop\s2Jg1MAahY.exe, ParentProcessId: 7516, ParentProcessName: s2Jg1MAahY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp", ProcessId: 7780, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\s2Jg1MAahY.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\s2Jg1MAahY.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\s2Jg1MAahY.exe", ParentImage: C:\Users\user\Desktop\s2Jg1MAahY.exe, ParentProcessId: 7516, ParentProcessName: s2Jg1MAahY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\s2Jg1MAahY.exe", ProcessId: 7708, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\s2Jg1MAahY.exe", ParentImage: C:\Users\user\Desktop\s2Jg1MAahY.exe, ParentProcessId: 7516, ParentProcessName: s2Jg1MAahY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp", ProcessId: 7780, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:16:35.902330+0100	2029927	1	A Network Trojan was detected	192.168.2.4	49743	110.4.45.197	21	TCP
2025-01-10T19:16:41.503463+0100	2029927	1	A Network Trojan was detected	192.168.2.4	49753	110.4.45.197	21	TCP
2025-01-10T19:16:49.648006+0100	2029927	1	A Network Trojan was detected	192.168.2.4	49759	110.4.45.197	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:16:36.746851+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49748	110.4.45.197	49512	TCP
2025-01-10T19:16:36.752254+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49748	110.4.45.197	49512	TCP
2025-01-10T19:16:42.333821+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49755	110.4.45.197	56014	TCP
2025-01-10T19:16:42.339180+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49755	110.4.45.197	56014	TCP
2025-01-10T19:16:50.477613+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49760	110.4.45.197	58731	TCP
2025-01-10T19:16:50.483043+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49760	110.4.45.197	58731	TCP

Joe Security MALWARE AgentTesla - FTP Exfil Keyboard Logs

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:17:53.843622+0100	1800007	1	A Network Trojan was detected	192.168.2.4	50008	110.4.45.197	62859	TCP

Joe Security MALWARE AgentTesla - FTP Exfil Screenshots

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:17:52.872682+0100	1800008	1	A Network Trojan was detected	192.168.2.4	50000	110.4.45.197	65033	TCP
2025-01-10T19:17:56.489053+0100	1800008	1	A Network Trojan was detected	192.168.2.4	50027	110.4.45.197	56202	TCP
2025-01-10T19:18:08.875649+0100	1800008	1	A Network Trojan was detected	192.168.2.4	50038	110.4.45.197	64854	TCP
2025-01-10T19:18:23.666309+0100	1800008	1	A Network Trojan was detected	192.168.2.4	50039	110.4.45.197	49158	TCP
2025-01-10T19:18:33.306104+0100	1800008	1	A Network Trojan was detected	192.168.2.4	50041	110.4.45.197	64021	TCP
2025-01-10T19:18:33.357346+0100	1800008	1	A Network Trojan was detected	192.168.2.4	50042	110.4.45.197	59944	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: s2Jg1MAahY.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ftp.haliza.com.my

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Avira: detection malicious, Label: HEUR/AGEN.1350994
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Avira: detection malicious, Label: HEUR/AGEN.1350994

Found malware configuration

Source: 9.2.GedTanqRR.exe.4c3d218.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: s2Jg1MAahY.exe	Virustotal: Detection: 69%			Perma Link
Source: s2Jg1MAahY.exe	ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: s2Jg1MAahY.exe

Joe Sandbox ML: detected

Source: s2Jg1MAahY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49758 version: TLS 1.2

Source: s2Jg1MAahY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 4x nop then jmp 0ED5112Ah	0_2_0ED5147A
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 4x nop then jmp 0ED5112Ah	0_2_0ED51991
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 4x nop then jmp 076B049Ah	9_2_076B07EA
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 4x nop then jmp 0B80049Ah	15_2_0B8007EA
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 4x nop then jmp 0B80049Ah	15_2_0B800D01
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 4x nop then jmp 0913049Ah	22_2_091307EA

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49748 -> 110.4.45.197:49512
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49755 -> 110.4.45.197:56014
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49753 -> 110.4.45.197:21
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49760 -> 110.4.45.197:58731
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49759 -> 110.4.45.197:21
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49743 -> 110.4.45.197:21
Source: Network traffic	Suricata IDS: 1800008 - Severity 1 - Joe Security MALWARE AgentTesla - FTP Exfil Screenshots : 192.168.2.4:50000 -> 110.4.45.197:65033
Source: Network traffic	Suricata IDS: 1800007 - Severity 1 - Joe Security MALWARE AgentTesla - FTP Exfil Keyboard Logs : 192.168.2.4:50008 -> 110.4.45.197:62859
Source: Network traffic	Suricata IDS: 1800008 - Severity 1 - Joe Security MALWARE AgentTesla - FTP Exfil Screenshots : 192.168.2.4:50038 -> 110.4.45.197:64854
Source: Network traffic	Suricata IDS: 1800008 - Severity 1 - Joe Security MALWARE AgentTesla - FTP Exfil Screenshots : 192.168.2.4:50027 -> 110.4.45.197:56202
Source: Network traffic	Suricata IDS: 1800008 - Severity 1 - Joe Security MALWARE AgentTesla - FTP Exfil Screenshots : 192.168.2.4:50041 -> 110.4.45.197:64021
Source: Network traffic	Suricata IDS: 1800008 - Severity 1 - Joe Security MALWARE AgentTesla - FTP Exfil Screenshots : 192.168.2.4:50039 -> 110.4.45.197:49158
Source: Network traffic	Suricata IDS: 1800008 - Severity 1 - Joe Security MALWARE AgentTesla - FTP Exfil Screenshots : 192.168.2.4:50042 -> 110.4.45.197:59944

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 110.4.45.197 ports 62570,62132,49512,64854,57660,63986,59944,55440,56014,58731,56510,49158,49476,50413,65033,64021,61591,62859,1,2,56202,56301,52528,21

Source: global traffic

TCP traffic: 192.168.2.4:49740 -> 110.4.45.197:56301

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 110.4.45.197 110.4.45.197

Source: Joe Sandbox View

ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

FTP traffic detected: 110.4.45.197:21 -> 192.168.2.4:49738 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 02:16. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.haliza.com.my

Source: s2Jg1MAahY.exe, sgxIb.exe.8.dr, GedTanqRR.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: s2Jg1MAahY.exe, sgxIb.exe.8.dr, GedTanqRR.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: s2Jg1MAahY.exe, 00000008.00000002.2977044627.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2977044627.000000000332B000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2977044627.00000000032CC000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2977044627.000000000338C000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2977044627.0000000003456000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 0000000D.00000002.2976437638.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.2978687835.000000000335C000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000019.00000002.2977002334.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.haliza.com.my
Source: s2Jg1MAahY.exe, sgxIb.exe.8.dr, GedTanqRR.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: s2Jg1MAahY.exe, 00000000.00000002.1773290594.0000000003115000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2977044627.0000000003251000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 00000009.00000002.1852262660.00000000031E5000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 0000000D.00000002.2976437638.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000000F.00000002.1915348802.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.2978687835.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1995497677.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000019.00000002.2977002334.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000000.00000002.1780145389.0000000005A64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: s2Jg1MAahY.exe, 00000000.00000002.1773872051.0000000004A92000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 00000009.00000002.1854063501.0000000004C3D000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 00000009.00000002.1854063501.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 0000000D.00000002.2968037571.0000000000437000.00000040.00000400.00020000.00000000.sdmp, sgxIb.exe, 0000000F.00000002.1918087486.0000000005023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: s2Jg1MAahY.exe, 00000000.00000002.1773872051.0000000004A92000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2977044627.0000000003251000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2968040431.0000000000436000.00000040.00000400.00020000.00000000.sdmp, GedTanqRR.exe, 00000009.00000002.1854063501.0000000004C3D000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 00000009.00000002.1854063501.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 0000000D.00000002.2976437638.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000000F.00000002.1918087486.0000000005023000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.2978687835.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000019.00000002.2977002334.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: s2Jg1MAahY.exe, 00000008.00000002.2977044627.0000000003251000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 0000000D.00000002.2976437638.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.2978687835.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000019.00000002.2977002334.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: s2Jg1MAahY.exe, 00000008.00000002.2977044627.0000000003251000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 0000000D.00000002.2976437638.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.2978687835.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000019.00000002.2977002334.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: s2Jg1MAahY.exe, sgxIb.exe.8.dr, GedTanqRR.exe.0.dr	String found in binary or memory: https://api.libertyreserve.com/beta/xml/
Source: s2Jg1MAahY.exe, sgxIb.exe.8.dr, GedTanqRR.exe.0.dr	String found in binary or memory: https://api.libertyreserve.com/beta/xml/balance.aspx$AccountNameRequestphttps://api.libertyreserve.c
Source: s2Jg1MAahY.exe, sgxIb.exe.8.dr, GedTanqRR.exe.0.dr	String found in binary or memory: https://api.libertyreserve.com/beta/xml/balance.aspx%AccountNameRequestqhttps://api.libertyreserve.c
Source: GedTanqRR.exe.0.dr	String found in binary or memory: https://api.libertyreserve.com/beta/xml/history.aspx
Source: GedTanqRR.exe.0.dr	String found in binary or memory: https://api.libertyreserve.com/beta/xml/transfer.aspx
Source: GedTanqRR.exe.0.dr	String found in binary or memory: https://sci.libertyreserve.com/
Source: s2Jg1MAahY.exe, sgxIb.exe.8.dr, GedTanqRR.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49758 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\s2Jg1MAahY.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\GedTanqRR.exe
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.sgxIb.exe.505fdb0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.sgxIb.exe.505fdb0.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.GedTanqRR.exe.4c3d218.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.GedTanqRR.exe.4c3d218.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.s2Jg1MAahY.exe.4aceda0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.s2Jg1MAahY.exe.4aceda0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.s2Jg1MAahY.exe.4a92580.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.s2Jg1MAahY.exe.4a92580.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.GedTanqRR.exe.4c79a38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.GedTanqRR.exe.4c79a38.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 15.2.sgxIb.exe.5023590.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.sgxIb.exe.5023590.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.s2Jg1MAahY.exe.4aceda0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.s2Jg1MAahY.exe.4aceda0.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 15.2.sgxIb.exe.5023590.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.sgxIb.exe.5023590.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.GedTanqRR.exe.4c79a38.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.GedTanqRR.exe.4c79a38.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.s2Jg1MAahY.exe.4a92580.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.s2Jg1MAahY.exe.4a92580.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.GedTanqRR.exe.4c3d218.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.GedTanqRR.exe.4c3d218.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 15.2.sgxIb.exe.505fdb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.sgxIb.exe.505fdb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_0143D57C	0_2_0143D57C
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A54180	0_2_07A54180
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A52B58	0_2_07A52B58
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A54A80	0_2_07A54A80
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A5C730	0_2_07A5C730
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A5353A	0_2_07A5353A
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A53548	0_2_07A53548
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A5C2F8	0_2_07A5C2F8
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A5E210	0_2_07A5E210
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A54170	0_2_07A54170
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A53140	0_2_07A53140
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A53150	0_2_07A53150
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A55021	0_2_07A55021
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A50023	0_2_07A50023
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A55030	0_2_07A55030
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A50040	0_2_07A50040
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A52FAA	0_2_07A52FAA
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A5BEC0	0_2_07A5BEC0
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A52E02	0_2_07A52E02
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A52E10	0_2_07A52E10
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A5DDD8	0_2_07A5DDD8
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A52B4A	0_2_07A52B4A
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A54A71	0_2_07A54A71
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A53908	0_2_07A53908
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_07A538F8	0_2_07A538F8
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_0ED53078	0_2_0ED53078
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_018E4198	8_2_018E4198
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_018EE9F8	8_2_018EE9F8
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_018E4A68	8_2_018E4A68
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_018E3E50	8_2_018E3E50
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_06DAC76C	8_2_06DAC76C
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_06DA55DA	8_2_06DA55DA
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_06DA55E8	8_2_06DA55E8
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_06DB56A8	8_2_06DB56A8
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_06DB6700	8_2_06DB6700
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_06DB3578	8_2_06DB3578
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_06DB7E90	8_2_06DB7E90
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_06DB77B0	8_2_06DB77B0
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_06DB2749	8_2_06DB2749
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_06DBE4C8	8_2_06DBE4C8
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_06DB0040	8_2_06DB0040
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_06DB5DF7	8_2_06DB5DF7
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_06DB003F	8_2_06DB003F
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0180D57C	9_2_0180D57C
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_076B0318	9_2_076B0318
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_076B0318	9_2_076B0318
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_076B0313	9_2_076B0313
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E2B58	9_2_0B5E2B58
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E4A80	9_2_0B5E4A80
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E4180	9_2_0B5E4180
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E2B4B	9_2_0B5E2B4B
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E4A71	9_2_0B5E4A71
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E3908	9_2_0B5E3908
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E38F8	9_2_0B5E38F8
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E2E10	9_2_0B5E2E10
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E2E03	9_2_0B5E2E03
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5EBEC0	9_2_0B5EBEC0
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5EDDD8	9_2_0B5EDDD8
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5EE210	9_2_0B5EE210
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5EC2F8	9_2_0B5EC2F8
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E3150	9_2_0B5E3150
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E3140	9_2_0B5E3140
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E4170	9_2_0B5E4170
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E0040	9_2_0B5E0040
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E0006	9_2_0B5E0006
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E5030	9_2_0B5E5030
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E5021	9_2_0B5E5021
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5EC730	9_2_0B5EC730
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E3548	9_2_0B5E3548
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E353B	9_2_0B5E353B
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_02C34A68	13_2_02C34A68
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_02C3E9F8	13_2_02C3E9F8
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_02C33E50	13_2_02C33E50
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_02C3AF37	13_2_02C3AF37
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_02C34198	13_2_02C34198
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_06A456A8	13_2_06A456A8
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_06A47E90	13_2_06A47E90
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_06A46700	13_2_06A46700
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_06A43578	13_2_06A43578
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_06A477B0	13_2_06A477B0
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_06A4E788	13_2_06A4E788
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_06A42718	13_2_06A42718
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_06A45DF7	13_2_06A45DF7
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_06A40040	13_2_06A40040
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_06A4003E	13_2_06A4003E
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_01A0D57C	15_2_01A0D57C
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B800318	15_2_0B800318
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B8024A0	15_2_0B8024A0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B800318	15_2_0B800318
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B800308	15_2_0B800308
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B822B58	15_2_0B822B58
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B824180	15_2_0B824180
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B822B4A	15_2_0B822B4A
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B824A80	15_2_0B824A80
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B824A71	15_2_0B824A71
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B823908	15_2_0B823908
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B8238F8	15_2_0B8238F8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B82BEC0	15_2_0B82BEC0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B822E02	15_2_0B822E02
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B822E10	15_2_0B822E10
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B82DDD8	15_2_0B82DDD8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B82C2F8	15_2_0B82C2F8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B82E210	15_2_0B82E210
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B823140	15_2_0B823140
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B823150	15_2_0B823150
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B824170	15_2_0B824170
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B820007	15_2_0B820007
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B825021	15_2_0B825021
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B825030	15_2_0B825030
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B820040	15_2_0B820040
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B82C730	15_2_0B82C730
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B82353A	15_2_0B82353A
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_0B823548	15_2_0B823548
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_01874A68	19_2_01874A68
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_0187AC80	19_2_0187AC80
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_01873E50	19_2_01873E50
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_01874198	19_2_01874198
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_0187E9C3	19_2_0187E9C3
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_06ECC3FC	19_2_06ECC3FC
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_06EC52A8	19_2_06EC52A8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_06EC52A2	19_2_06EC52A2
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_06ED6708	19_2_06ED6708
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_06ED3580	19_2_06ED3580
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_06ED0040	19_2_06ED0040
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_06ED77B8	19_2_06ED77B8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_06EDE4D0	19_2_06EDE4D0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_06ED5E10	19_2_06ED5E10
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_02A2D57C	22_2_02A2D57C
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_05156BE0	22_2_05156BE0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_05150006	22_2_05150006
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_05150040	22_2_05150040
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07544180	22_2_07544180
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07542B58	22_2_07542B58
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07544A80	22_2_07544A80
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_0754C730	22_2_0754C730
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07543548	22_2_07543548
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_0754353B	22_2_0754353B
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_0754E210	22_2_0754E210
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_0754C2F8	22_2_0754C2F8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07543150	22_2_07543150
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07543140	22_2_07543140
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07544170	22_2_07544170
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07540040	22_2_07540040
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07540006	22_2_07540006
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07545030	22_2_07545030
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07545021	22_2_07545021
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07542FAB	22_2_07542FAB
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07542E10	22_2_07542E10
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07542E03	22_2_07542E03
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_0754BEC0	22_2_0754BEC0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_0754DDD8	22_2_0754DDD8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07542B4B	22_2_07542B4B
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07544A71	22_2_07544A71
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_07543908	22_2_07543908
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_075438F8	22_2_075438F8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_09130318	22_2_09130318
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_091323E0	22_2_091323E0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_09130308	22_2_09130308
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_09130318	22_2_09130318
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_0682C3FC	25_2_0682C3FC
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_06823874	25_2_06823874
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_068252A2	25_2_068252A2
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_068252A8	25_2_068252A8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_06825F96	25_2_06825F96
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_068356B0	25_2_068356B0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_06836708	25_2_06836708
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_06833580	25_2_06833580
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_06830040	25_2_06830040
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_06837E98	25_2_06837E98
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_068377B8	25_2_068377B8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_0683E4D0	25_2_0683E4D0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_0683234B	25_2_0683234B
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_06835DFF	25_2_06835DFF
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_06830007	25_2_06830007

Source: s2Jg1MAahY.exe

Static PE information: invalid certificate

Source: s2Jg1MAahY.exe, 00000000.00000002.1773872051.0000000004A92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs s2Jg1MAahY.exe
Source: s2Jg1MAahY.exe, 00000000.00000002.1779200822.00000000058E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs s2Jg1MAahY.exe
Source: s2Jg1MAahY.exe, 00000000.00000002.1773872051.0000000003F15000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs s2Jg1MAahY.exe
Source: s2Jg1MAahY.exe, 00000000.00000002.1773872051.0000000004735000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs s2Jg1MAahY.exe
Source: s2Jg1MAahY.exe, 00000000.00000002.1772419598.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs s2Jg1MAahY.exe
Source: s2Jg1MAahY.exe, 00000000.00000000.1713017930.0000000000B22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameJghe.exe4 vs s2Jg1MAahY.exe
Source: s2Jg1MAahY.exe, 00000000.00000002.1773290594.0000000003115000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs s2Jg1MAahY.exe
Source: s2Jg1MAahY.exe, 00000000.00000002.1782965166.000000000BA80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs s2Jg1MAahY.exe
Source: s2Jg1MAahY.exe, 00000008.00000002.2968972015.00000000012F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs s2Jg1MAahY.exe
Source: s2Jg1MAahY.exe	Binary or memory string: OriginalFilenameJghe.exe4 vs s2Jg1MAahY.exe

Source: s2Jg1MAahY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 15.2.sgxIb.exe.505fdb0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.sgxIb.exe.505fdb0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.GedTanqRR.exe.4c3d218.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.GedTanqRR.exe.4c3d218.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.s2Jg1MAahY.exe.4aceda0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.s2Jg1MAahY.exe.4aceda0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.s2Jg1MAahY.exe.4a92580.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.s2Jg1MAahY.exe.4a92580.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.GedTanqRR.exe.4c79a38.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.GedTanqRR.exe.4c79a38.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 15.2.sgxIb.exe.5023590.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.sgxIb.exe.5023590.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.s2Jg1MAahY.exe.4aceda0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.s2Jg1MAahY.exe.4aceda0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 15.2.sgxIb.exe.5023590.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.sgxIb.exe.5023590.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.GedTanqRR.exe.4c79a38.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.GedTanqRR.exe.4c79a38.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.s2Jg1MAahY.exe.4a92580.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.s2Jg1MAahY.exe.4a92580.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.GedTanqRR.exe.4c3d218.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.GedTanqRR.exe.4c3d218.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 15.2.sgxIb.exe.505fdb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.sgxIb.exe.505fdb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: s2Jg1MAahY.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GedTanqRR.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sgxIb.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@33/20@2/2

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe

File created: C:\Users\user\AppData\Roaming\GedTanqRR.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Mutant created: \Sessions\1\BaseNamedObjects\oHNByndhbEJXlbuFCpVKa
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe

File created: C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp

Jump to behavior

Source: s2Jg1MAahY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: s2Jg1MAahY.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: s2Jg1MAahY.exe	Virustotal: Detection: 69%
Source: s2Jg1MAahY.exe	ReversingLabs: Detection: 78%

Source: s2Jg1MAahY.exe

String found in binary or memory: PageCount-Start date is missing.MHistory is not available before '{0}'.

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe

File read: C:\Users\user\Desktop\s2Jg1MAahY.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\s2Jg1MAahY.exe "C:\Users\user\Desktop\s2Jg1MAahY.exe"
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\s2Jg1MAahY.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GedTanqRR.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Users\user\Desktop\s2Jg1MAahY.exe "C:\Users\user\Desktop\s2Jg1MAahY.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GedTanqRR.exe C:\Users\user\AppData\Roaming\GedTanqRR.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpE4A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process created: C:\Users\user\AppData\Roaming\GedTanqRR.exe "C:\Users\user\AppData\Roaming\GedTanqRR.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmp30F5.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmp50A2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\s2Jg1MAahY.exe"	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GedTanqRR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Users\user\Desktop\s2Jg1MAahY.exe "C:\Users\user\Desktop\s2Jg1MAahY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpE4A.tmp"
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process created: C:\Users\user\AppData\Roaming\GedTanqRR.exe "C:\Users\user\AppData\Roaming\GedTanqRR.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmp30F5.tmp"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmp50A2.tmp"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windowscodecs.dll

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: s2Jg1MAahY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: s2Jg1MAahY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_0143E9B8 pushfd ; retf	0_2_0143E9B9
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 0_2_0143DBE4 pushfd ; ret	0_2_0143DBED
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Code function: 8_2_018E0C55 push edi; retf	8_2_018E0C7A
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0180E9B8 pushfd ; retf	9_2_0180E9B9
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0180F550 pushad ; iretd	9_2_0180F559
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0180DBE4 pushfd ; ret	9_2_0180DBED
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E8EA8 push ds; ret	9_2_0B5E8EAA
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E905B push ds; ret	9_2_0B5E9062
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E9019 push ds; ret	9_2_0B5E902A
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 9_2_0B5E8511 push ss; ret	9_2_0B5E8512
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Code function: 13_2_02C3F8E8 pushad ; retf	13_2_02C3F8F1
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_01A0E9B8 pushfd ; retf	15_2_01A0E9B9
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 15_2_01A0DBE4 pushfd ; ret	15_2_01A0DBED
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_0187F7C8 pushad ; retf	19_2_0187F7D1
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 19_2_01870C55 push edi; retf	19_2_01870C7A
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_02A2E9B8 pushfd ; retf	22_2_02A2E9B9
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 22_2_02A2DBE4 pushfd ; ret	22_2_02A2DBED
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_0682BB91 push ds; retf 0006h	25_2_0682BB92
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_0682BBB1 push ds; retf 0006h	25_2_0682BBB2
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 25_2_0682B9A9 push ds; retf 0006h	25_2_0682B9AA

Source: s2Jg1MAahY.exe	Static PE information: section name: .text entropy: 7.636878369806903
Source: GedTanqRR.exe.0.dr	Static PE information: section name: .text entropy: 7.636878369806903
Source: sgxIb.exe.8.dr	Static PE information: section name: .text entropy: 7.636878369806903

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	File created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe			Jump to dropped file
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	File created: C:\Users\user\AppData\Roaming\GedTanqRR.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp"

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb			Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: s2Jg1MAahY.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GedTanqRR.exe PID: 8088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 8184, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory allocated: 1430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory allocated: 4EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory allocated: 9330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory allocated: 7BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory allocated: A330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory allocated: B330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory allocated: BB10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory allocated: CB10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory allocated: DB10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory allocated: 1890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory allocated: 3250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory allocated: 5250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Memory allocated: 17C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Memory allocated: 31B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Memory allocated: 51B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Memory allocated: 8FD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Memory allocated: 9FD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Memory allocated: A1C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Memory allocated: B1C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Memory allocated: B970000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Memory allocated: C970000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Memory allocated: 2B90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Memory allocated: 2B90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 1A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 3450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 3350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 9220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: A220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: A410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: B410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: BED0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: CED0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: DED0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 1870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 32E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 3050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 29E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 4BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 8A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 9A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 9C80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 7130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: B2D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: C2D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 10D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 2B20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 4B20000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599746	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599637	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598967	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598709	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598440	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598180	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597530	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597186	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597073	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596746	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596629	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595837	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595715	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595592	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595323	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594343	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594232	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599436
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599327
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 598891
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 598657
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 598491
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 598382
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597923
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597729
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597620
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597457
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597182
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597063
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596936
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596768
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596641
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596520
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596226
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596112
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 595990
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594948
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594823
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594713
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594594
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594484
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594375
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594266
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594156
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594047
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593931
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593813
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593698
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593578
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593469
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593344
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593234
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599545
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598999
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598551
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598312
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598187
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598039
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597929
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597702
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597470
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597344
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597219
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596670
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596452
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596344
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596125
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595788
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595489
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595227
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594994
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594854
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594749
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594640
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594531
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594422
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594312
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594203
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599327
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598999
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598452
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598342
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597996
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597871
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597747
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597422
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597202
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597091
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596874
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596435
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595781
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595671
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595439
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595202
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595045
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594934
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594593
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594484
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594374

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9065	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 576	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8919	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 674	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Window / User API: threadDelayed 7128	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Window / User API: threadDelayed 2703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Window / User API: threadDelayed 4603
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Window / User API: threadDelayed 5236
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Window / User API: threadDelayed 6736
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Window / User API: threadDelayed 3111
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Window / User API: threadDelayed 2472
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Window / User API: threadDelayed 7371

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 7536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7896	Thread sleep count: 9065 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7896	Thread sleep count: 576 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8052	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8056	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -599746s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -599637s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -599515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -598967s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -598709s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -598440s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -598180s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -597968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -597640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -597530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -597186s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -597073s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -596968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -596746s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -596629s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -595952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -595837s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -595715s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -595592s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -595323s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -594453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -594343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -594232s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe TID: 8180	Thread sleep time: -594124s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -40582836962160988s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -599436s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -599327s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -598891s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -598657s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -598491s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -598382s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -598235s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -597923s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -597729s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -597620s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -597457s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -597328s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -597182s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -597063s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -596936s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -596768s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -596641s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -596520s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -596360s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -596226s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -596112s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -595990s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -595860s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -595735s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -595610s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -595485s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -594948s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -594823s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -594713s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -594594s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -594484s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -594375s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -594266s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -594156s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -594047s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -593931s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -593813s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -593698s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -593578s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -593469s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -593344s >= -30000s
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe TID: 7688	Thread sleep time: -593234s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -599545s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -598999s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -598890s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -598671s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -598551s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -598422s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -598312s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -598187s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -598039s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -597929s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -597812s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -597702s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -597593s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -597470s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -597344s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -597219s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -597109s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -597000s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -596890s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -596781s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -596670s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -596562s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -596452s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -596344s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -596234s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -596125s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -596015s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -595906s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -595788s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -595672s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -595489s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -595227s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -595109s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -594994s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -594854s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -594749s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -594640s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -594531s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -594422s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -594312s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8020	Thread sleep time: -594203s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7812	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -35048813740048126s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8108	Thread sleep count: 2472 > 30
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 8108	Thread sleep count: 7371 > 30
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -599546s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -599327s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -598999s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -598890s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -598671s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -598562s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -598452s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -598342s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -598234s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -598109s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -597996s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -597871s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -597747s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -597640s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -597531s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -597422s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -597312s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -597202s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -597091s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -596874s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -596765s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -596547s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -596435s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -596218s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -596109s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -596000s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -595890s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -595781s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -595671s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -595562s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -595439s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -595312s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -595202s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -595045s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -594934s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -594812s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -594703s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -594593s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -594484s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3868	Thread sleep time: -594374s >= -30000s

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599746	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599637	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598967	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598709	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598440	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598180	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597530	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597186	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 597073	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596746	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596629	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595837	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595715	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595592	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595323	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594343	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594232	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Thread delayed: delay time: 594124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599436
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599327
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 598891
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 598657
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 598491
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 598382
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597923
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597729
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597620
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597457
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597182
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 597063
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596936
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596768
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596641
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596520
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596226
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 596112
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 595990
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594948
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594823
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594713
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594594
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594484
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594375
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594266
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594156
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 594047
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593931
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593813
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593698
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593578
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593469
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593344
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Thread delayed: delay time: 593234
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599545
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598999
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598551
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598312
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598187
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598039
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597929
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597702
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597470
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597344
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597219
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596670
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596452
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596344
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596125
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595788
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595489
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595227
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594994
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594854
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594749
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594640
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594531
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594422
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594312
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594203
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599327
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598999
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598452
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598342
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597996
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597871
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597747
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597422
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597202
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597091
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596874
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596435
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595781
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595671
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595439
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595202
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595045
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594934
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594593
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594484
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594374

Source: GedTanqRR.exe, 00000009.00000002.1850209751.0000000001502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: GedTanqRR.exe, 00000009.00000002.1850209751.0000000001502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: sgxIb.exe, 00000013.00000002.2969662977.000000000145A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz%
Source: s2Jg1MAahY.exe, 00000008.00000002.2971025990.00000000015E5000.00000004.00000020.00020000.00000000.sdmp, GedTanqRR.exe, 0000000D.00000002.2969620558.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, sgxIb.exe, 00000019.00000002.2969546365.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\s2Jg1MAahY.exe"
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GedTanqRR.exe"
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\s2Jg1MAahY.exe"	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GedTanqRR.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Memory written: C:\Users\user\Desktop\s2Jg1MAahY.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Memory written: C:\Users\user\AppData\Roaming\GedTanqRR.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory written: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory written: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\s2Jg1MAahY.exe"	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GedTanqRR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Process created: C:\Users\user\Desktop\s2Jg1MAahY.exe "C:\Users\user\Desktop\s2Jg1MAahY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpE4A.tmp"
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Process created: C:\Users\user\AppData\Roaming\GedTanqRR.exe "C:\Users\user\AppData\Roaming\GedTanqRR.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmp30F5.tmp"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmp50A2.tmp"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"

Source: s2Jg1MAahY.exe, 00000008.00000002.2977044627.000000000337D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q8<b>[ Program Manager]</b> (11/01/2025 03:39:12)<br>{Win}THcq
Source: s2Jg1MAahY.exe, 00000008.00000002.2977044627.000000000337D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: s2Jg1MAahY.exe, 00000008.00000002.2977044627.000000000337D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: s2Jg1MAahY.exe, 00000008.00000002.2977044627.000000000337D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q3<b>[ Program Manager]</b> (11/01/2025 03:39:12)<br>
Source: s2Jg1MAahY.exe, 00000008.00000002.2977044627.000000000338C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <html>Time: 01/24/2025 06:41:35<br>User Name: user<br>Computer Name: 745481<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.189<br><hr><b>[ Program Manager]</b> (11/01/2025 03:39:12)<br>{Win}r</html>
Source: s2Jg1MAahY.exe, 00000008.00000002.2977044627.000000000337D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q9<b>[ Program Manager]</b> (11/01/2025 03:39:12)<br>{Win}rTHcq

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Users\user\Desktop\s2Jg1MAahY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Users\user\Desktop\s2Jg1MAahY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Queries volume information: C:\Users\user\AppData\Roaming\GedTanqRR.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Queries volume information: C:\Users\user\AppData\Roaming\GedTanqRR.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 15.2.sgxIb.exe.505fdb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.GedTanqRR.exe.4c3d218.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s2Jg1MAahY.exe.4aceda0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s2Jg1MAahY.exe.4a92580.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.GedTanqRR.exe.4c79a38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.sgxIb.exe.5023590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s2Jg1MAahY.exe.4aceda0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.sgxIb.exe.5023590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.GedTanqRR.exe.4c79a38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s2Jg1MAahY.exe.4a92580.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.GedTanqRR.exe.4c3d218.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.sgxIb.exe.505fdb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.2977002334.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2977002334.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1773872051.0000000004A92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1854063501.0000000004C3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2977044627.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2976437638.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1918087486.0000000005023000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2978687835.000000000335C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2977044627.00000000032CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2976437638.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2978687835.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1854063501.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: s2Jg1MAahY.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s2Jg1MAahY.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GedTanqRR.exe PID: 8088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GedTanqRR.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 5472, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\s2Jg1MAahY.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\GedTanqRR.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 15.2.sgxIb.exe.505fdb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.GedTanqRR.exe.4c3d218.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s2Jg1MAahY.exe.4aceda0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s2Jg1MAahY.exe.4a92580.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.GedTanqRR.exe.4c79a38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.sgxIb.exe.5023590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s2Jg1MAahY.exe.4aceda0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.sgxIb.exe.5023590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.GedTanqRR.exe.4c79a38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s2Jg1MAahY.exe.4a92580.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.GedTanqRR.exe.4c3d218.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.sgxIb.exe.505fdb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.2977002334.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1773872051.0000000004A92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1854063501.0000000004C3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2977044627.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2976437638.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1918087486.0000000005023000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2978687835.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1854063501.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: s2Jg1MAahY.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s2Jg1MAahY.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GedTanqRR.exe PID: 8088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GedTanqRR.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 5472, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 15.2.sgxIb.exe.505fdb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.GedTanqRR.exe.4c3d218.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s2Jg1MAahY.exe.4aceda0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s2Jg1MAahY.exe.4a92580.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.GedTanqRR.exe.4c79a38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.sgxIb.exe.5023590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s2Jg1MAahY.exe.4aceda0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.sgxIb.exe.5023590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.GedTanqRR.exe.4c79a38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s2Jg1MAahY.exe.4a92580.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.GedTanqRR.exe.4c3d218.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.sgxIb.exe.505fdb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.2977002334.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2977002334.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1773872051.0000000004A92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1854063501.0000000004C3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2977044627.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2976437638.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1918087486.0000000005023000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2978687835.000000000335C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2977044627.00000000032CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2976437638.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2978687835.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1854063501.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: s2Jg1MAahY.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s2Jg1MAahY.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GedTanqRR.exe PID: 8088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GedTanqRR.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 5472, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	112 Process Injection	3 Obfuscated Files or Information	11 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Software Packing	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	211 Security Software Discovery	Distributed Component Object Model	11 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	141 Virtualization/Sandbox Evasion	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	112 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
s2Jg1MAahY.exe	69%	Virustotal		Browse
s2Jg1MAahY.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
s2Jg1MAahY.exe	100%	Avira	HEUR/AGEN.1350994
s2Jg1MAahY.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	100%	Avira	HEUR/AGEN.1350994
C:\Users\user\AppData\Roaming\GedTanqRR.exe	100%	Avira	HEUR/AGEN.1350994
C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\GedTanqRR.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\GedTanqRR.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook

Source	Detection	Scanner	Label
https://api.libertyreserve.com/beta/xml/balance.aspx%AccountNameRequestqhttps://api.libertyreserve.c	0%	Avira URL Cloud	safe
http://ftp.haliza.com.my	100%	Avira URL Cloud	malware
https://api.libertyreserve.com/beta/xml/balance.aspx$AccountNameRequestphttps://api.libertyreserve.c	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		high
ftp.haliza.com.my	110.4.45.197	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	s2Jg1MAahY.exe, 00000000.00000002.1773872051.0000000004A92000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 00000009.00000002.1854063501.0000000004C3D000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 00000009.00000002.1854063501.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 0000000D.00000002.2968037571.0000000000437000.00000040.00000400.00020000.00000000.sdmp, sgxIb.exe, 0000000F.00000002.1918087486.0000000005023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.libertyreserve.com/beta/xml/history.aspx	GedTanqRR.exe.0.dr	false		high
http://www.tiro.com	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	s2Jg1MAahY.exe, 00000008.00000002.2977044627.0000000003251000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 0000000D.00000002.2976437638.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.2978687835.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000019.00000002.2977002334.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	s2Jg1MAahY.exe, sgxIb.exe.8.dr, GedTanqRR.exe.0.dr	false		high
https://api.libertyreserve.com/beta/xml/	s2Jg1MAahY.exe, sgxIb.exe.8.dr, GedTanqRR.exe.0.dr	false		high
http://www.carterandcone.coml	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.libertyreserve.com/beta/xml/balance.aspx%AccountNameRequestqhttps://api.libertyreserve.c	s2Jg1MAahY.exe, sgxIb.exe.8.dr, GedTanqRR.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	s2Jg1MAahY.exe, 00000000.00000002.1773872051.0000000004A92000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2977044627.0000000003251000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2968040431.0000000000436000.00000040.00000400.00020000.00000000.sdmp, GedTanqRR.exe, 00000009.00000002.1854063501.0000000004C3D000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 00000009.00000002.1854063501.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 0000000D.00000002.2976437638.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000000F.00000002.1918087486.0000000005023000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.2978687835.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000019.00000002.2977002334.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.libertyreserve.com/beta/xml/transfer.aspx	GedTanqRR.exe.0.dr	false		high
http://www.fontbureau.com/designers/frere-user.html	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.libertyreserve.com/beta/xml/balance.aspx$AccountNameRequestphttps://api.libertyreserve.c	s2Jg1MAahY.exe, sgxIb.exe.8.dr, GedTanqRR.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://ftp.haliza.com.my	s2Jg1MAahY.exe, 00000008.00000002.2977044627.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2977044627.000000000332B000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2977044627.00000000032CC000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2977044627.000000000338C000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2977044627.0000000003456000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 0000000D.00000002.2976437638.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.2978687835.000000000335C000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000019.00000002.2977002334.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.jiyu-kobo.co.jp/	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sci.libertyreserve.com/	GedTanqRR.exe.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	s2Jg1MAahY.exe, 00000000.00000002.1773290594.0000000003115000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000008.00000002.2977044627.0000000003251000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 00000009.00000002.1852262660.00000000031E5000.00000004.00000800.00020000.00000000.sdmp, GedTanqRR.exe, 0000000D.00000002.2976437638.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000000F.00000002.1915348802.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.2978687835.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1995497677.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000019.00000002.2977002334.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	s2Jg1MAahY.exe, 00000000.00000002.1780417173.0000000007112000.00000004.00000800.00020000.00000000.sdmp, s2Jg1MAahY.exe, 00000000.00000002.1780145389.0000000005A64000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
110.4.45.197	ftp.haliza.com.my	Malaysia		46015	EXABYTES-AS-APExaBytesNetworkSdnBhdMY	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587906
Start date and time:	2025-01-10 19:15:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	s2Jg1MAahY.exe renamed because original name is a hash value
Original Sample Name:	130c869f7ce90b4dd45a1192c8cb13aa8e3f986ab29fb9f446475e2030a2d2ec.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@33/20@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 359 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:16:20	API Interceptor	1389766x Sleep call for process: s2Jg1MAahY.exe modified
13:16:22	API Interceptor	80x Sleep call for process: powershell.exe modified
13:16:25	API Interceptor	198812x Sleep call for process: GedTanqRR.exe modified
13:16:34	API Interceptor	1295567x Sleep call for process: sgxIb.exe modified
18:16:22	Task Scheduler	Run new task: GedTanqRR path: C:\Users\user\AppData\Roaming\GedTanqRR.exe
18:16:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
18:16:34	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	api.ipify.org/
	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text
	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
110.4.45.197	Pi648je050.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Termination_List_November_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse
	Payment_Advice_USD_48,054.40_.exe	Get hash	malicious	AgentTesla	Browse
	Payslip_October_2024.exe	Get hash	malicious	AgentTesla	Browse
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse
	Payslip_October_2024.pdf.exe	Get hash	malicious	AgentTesla	Browse
	rMT103_126021720924.exe	Get hash	malicious	AgentTesla	Browse
	z1Transaction_ID_REF2418_cmd.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	z20SWIFT_MT103_Payment_552016_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Y8Q1voljvb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	104.26.13.205
	7DpzcPcsTS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	B8FnDUj8hy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	FSRHC6mB16.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	9pIm5d0rsW.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	VYLigyTDuW.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
ftp.haliza.com.my	Pi648je050.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	110.4.45.197
	Termination_List_November_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Payment_Advice_USD_48,054.40_.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Payslip_October_2024.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Payslip_October_2024.pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	rMT103_126021720924.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	z1Transaction_ID_REF2418_cmd.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	110.4.45.197
	z20SWIFT_MT103_Payment_552016_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	110.4.45.197

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	172.64.147.188
	jd4t3R7hOq.exe	Get hash	malicious	Azorult	Browse	104.21.75.48
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	6mllsKaB2q.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	Voicemail_+Transcription+_ATT006151.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Y8Q1voljvb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	104.21.28.65
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
EXABYTES-AS-APExaBytesNetworkSdnBhdMY	5.elf	Get hash	malicious	Unknown	Browse	203.142.6.36
	armv7l.elf	Get hash	malicious	Unknown	Browse	203.142.6.55
	http://zilianmy.com	Get hash	malicious	Unknown	Browse	103.6.198.100
	https://url.uk.m.mimecastprotect.com/s/i6hKCJ8OAsjPWvuxFXHy1dB_?domain=finatal.us2.list-manage.com	Get hash	malicious	Unknown	Browse	137.59.109.34
	https://finatal.us2.list-manage.com/track/click?u=f73f7708eca5e1d2f61bc2a09&id=82613a7740&e=d824888c03	Get hash	malicious	Unknown	Browse	137.59.109.34
	Pi648je050.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	110.4.45.197
	Termination_List_November_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	https://www.canva.com/design/DAGVnZ3mr_Y/4CQQbX1-EKRcha16TVbYxQ/view?utm_content=DAGVnZ3mr_Y&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Mamba2FA	Browse	103.6.199.200
	Payment_Advice_USD_48,054.40_.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Payslip_October_2024.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	MqzEQCpFAY.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	MqzEQCpFAY.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	6mllsKaB2q.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.26.12.205
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	Y8Q1voljvb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205

Process:	C:\Users\user\AppData\Roaming\GedTanqRR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\s2Jg1MAahY.exe.log

Download File

Process:	C:\Users\user\Desktop\s2Jg1MAahY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sgxIb.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379677338874509
Encrypted:	false
SSDEEP:	48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZmUyus:tLHxvIIwLgZ2KRHWLOuggs
MD5:	F825B63C7D6B045FCFBA8BE6E0757BB8
SHA1:	789ED088BEEB1F6A08141F2D3F2DC8315AD23B35
SHA-256:	E1CA090C9A65A42E64DD89FB4FBD281F8128747D20DEE28178B630029F2D5818
SHA-512:	A13109C035829E502531A8741A28154F4FABF8719B92BF1646255B6B53CB3F3FA8BD8CAC4DC363E0A1D5308440E57170DB6ED2CA50549EEAC487CAB70DD5E6AF
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0fdemhkn.kyu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyywn1cc.hx3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_elindv2r.4sm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3f5tstw.et3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0vdxbfw.j3l.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pol05p5u.cil.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wiqgae4d.aj3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ziss5g5g.sf3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp30F5.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.107638367564107
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaBxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTEv
MD5:	A7B598B4DB64F3A7260E80D9A07B15C0
SHA1:	C980C8EE375DD735E29E8BCAC06912A68277F4D1
SHA-256:	52C1B5686912FECD3CB3FA39B908F9C4690B5807578BA18420DFFB709F299695
SHA-512:	4D1143C4B2C96972B35B0E00562FC286BD371170501BC1B01BCDBAC76C1A3DC2C871D4A641A5B9A6A346A6CED96DBD0BE5BBB39DB77FF1B302F1119093799C63
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp50A2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.107638367564107
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaBxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTEv
MD5:	A7B598B4DB64F3A7260E80D9A07B15C0
SHA1:	C980C8EE375DD735E29E8BCAC06912A68277F4D1
SHA-256:	52C1B5686912FECD3CB3FA39B908F9C4690B5807578BA18420DFFB709F299695
SHA-512:	4D1143C4B2C96972B35B0E00562FC286BD371170501BC1B01BCDBAC76C1A3DC2C871D4A641A5B9A6A346A6CED96DBD0BE5BBB39DB77FF1B302F1119093799C63
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpE4A.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\GedTanqRR.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.107638367564107
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaBxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTEv
MD5:	A7B598B4DB64F3A7260E80D9A07B15C0
SHA1:	C980C8EE375DD735E29E8BCAC06912A68277F4D1
SHA-256:	52C1B5686912FECD3CB3FA39B908F9C4690B5807578BA18420DFFB709F299695
SHA-512:	4D1143C4B2C96972B35B0E00562FC286BD371170501BC1B01BCDBAC76C1A3DC2C871D4A641A5B9A6A346A6CED96DBD0BE5BBB39DB77FF1B302F1119093799C63
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp

Download File

Process:	C:\Users\user\Desktop\s2Jg1MAahY.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.107638367564107
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaBxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTEv
MD5:	A7B598B4DB64F3A7260E80D9A07B15C0
SHA1:	C980C8EE375DD735E29E8BCAC06912A68277F4D1
SHA-256:	52C1B5686912FECD3CB3FA39B908F9C4690B5807578BA18420DFFB709F299695
SHA-512:	4D1143C4B2C96972B35B0E00562FC286BD371170501BC1B01BCDBAC76C1A3DC2C871D4A641A5B9A6A346A6CED96DBD0BE5BBB39DB77FF1B302F1119093799C63
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\GedTanqRR.exe

Download File

Process:	C:\Users\user\Desktop\s2Jg1MAahY.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	837640
Entropy (8bit):	7.643893733961534
Encrypted:	false
SSDEEP:	12288:3t8f2uE1zDXy/kp5qw8+KBAswiwJLcPwwuEco5IrU1GQGibDVy1ICS75Al/k/8fI:3tu2uOa/8q7FeswigQ/ar0PVy1pk/u2B
MD5:	6239C4047E0F1C4F55A96199E77D3669
SHA1:	7967D09A6357DFB6ABBD99963DBCF9EE46B50BD9
SHA-256:	130C869F7CE90B4DD45A1192C8CB13AA8E3F986AB29FB9F446475E2030A2D2EC
SHA-512:	BA9BE27965A41188431B55DFE7FEC6EB60D61F2A96B269C4D9F667C9E6D9E8E140A6457904B5798D4D75C985DF37975C8096DD91F2512CB71A220D2FB5D184BD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q.ag..............0..^...2.......}... ........@.. ....................................@.................................`}..O.......L/...............6........................................................... ............... ..H............text....]... ...^.................. ..`.rsrc...L/.......0...`..............@..@.reloc..............................@..B.................}......H.......XX..(.............................................................{...."..}......{...."..}......{...."..}......(....r.(......(......(......(.....0..Y........(.....(.....{...........%.r...p(....s.....%.r...p(....s.....%.r!..p(....s........(....&....0..j..........{....o....(....%.}.....}.....{....rg..p.\|....(....rq..p(....o.....{....rg..p.\|....(....rq..p(....o.......0..]........{....o....(.....#......@.Y.#3333...@.#.......@ZX#.p=...?Y.(......{......(....o...

C:\Users\user\AppData\Roaming\GedTanqRR.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\s2Jg1MAahY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Download File

Process:	C:\Users\user\Desktop\s2Jg1MAahY.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	837640
Entropy (8bit):	7.643893733961534
Encrypted:	false
SSDEEP:	12288:3t8f2uE1zDXy/kp5qw8+KBAswiwJLcPwwuEco5IrU1GQGibDVy1ICS75Al/k/8fI:3tu2uOa/8q7FeswigQ/ar0PVy1pk/u2B
MD5:	6239C4047E0F1C4F55A96199E77D3669
SHA1:	7967D09A6357DFB6ABBD99963DBCF9EE46B50BD9
SHA-256:	130C869F7CE90B4DD45A1192C8CB13AA8E3F986AB29FB9F446475E2030A2D2EC
SHA-512:	BA9BE27965A41188431B55DFE7FEC6EB60D61F2A96B269C4D9F667C9E6D9E8E140A6457904B5798D4D75C985DF37975C8096DD91F2512CB71A220D2FB5D184BD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q.ag..............0..^...2.......}... ........@.. ....................................@.................................`}..O.......L/...............6........................................................... ............... ..H............text....]... ...^.................. ..`.rsrc...L/.......0...`..............@..@.reloc..............................@..B.................}......H.......XX..(.............................................................{...."..}......{...."..}......{...."..}......(....r.(......(......(......(.....0..Y........(.....(.....{...........%.r...p(....s.....%.r...p(....s.....%.r!..p(....s........(....&....0..j..........{....o....(....%.}.....}.....{....rg..p.\|....(....rq..p(....o.....{....rg..p.\|....(....rq..p(....o.......0..]........{....o....(.....#......@.Y.#3333...@.#.......@ZX#.p=...?Y.(......{......(....o...

C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\s2Jg1MAahY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.643893733961534
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	s2Jg1MAahY.exe
File size:	837'640 bytes
MD5:	6239c4047e0f1c4f55a96199e77d3669
SHA1:	7967d09a6357dfb6abbd99963dbcf9ee46b50bd9
SHA256:	130c869f7ce90b4dd45a1192c8cb13aa8e3f986ab29fb9f446475e2030a2d2ec
SHA512:	ba9be27965a41188431b55dfe7fec6eb60d61f2a96b269c4d9f667c9e6d9e8e140a6457904b5798d4d75c985df37975c8096dd91f2512cb71a220d2fb5d184bd
SSDEEP:	12288:3t8f2uE1zDXy/kp5qw8+KBAswiwJLcPwwuEco5IrU1GQGibDVy1ICS75Al/k/8fI:3tu2uOa/8q7FeswigQ/ar0PVy1pk/u2B
TLSH:	A605CFC03B3A7701DEBC7934D176EDB862642E687000B9E76EDD2B4776D9202A91CF64
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q.ag..............0..^...2.......}... ........@.. ....................................@................................

File Icon


Icon Hash:	674d797961216d59

Static PE Info

General

Entrypoint:	0x4c7db2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6761E651 [Tue Dec 17 21:00:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
dec esp
add byte ptr [edi+00h], ch
popad
add byte ptr [eax+eax+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc7d60	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x2f4c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc9200	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc5dc0	0xc5e00	b074eb37e4826303332e56f90279559b	False	0.866615011054959	OpenPGP Secret Key	7.636878369806903	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc8000	0x2f4c	0x3000	c6bbb12e41f4c143f3b4e278594a8eac	False	0.9442545572916666	data	7.741007404585098	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xcc000	0xc	0x200	b6aa20be5f05ac6e9c51baa59e374b7f	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc80c8	0x2bf4	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9942232492001422
RT_GROUP_ICON	0xcaccc	0x14	data	1.05
RT_VERSION	0xcacf0	0x258	data	0.4816666666666667

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T19:16:35.902330+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.4	49743	110.4.45.197	21	TCP
2025-01-10T19:16:36.746851+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49748	110.4.45.197	49512	TCP
2025-01-10T19:16:36.752254+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49748	110.4.45.197	49512	TCP
2025-01-10T19:16:41.503463+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.4	49753	110.4.45.197	21	TCP
2025-01-10T19:16:42.333821+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49755	110.4.45.197	56014	TCP
2025-01-10T19:16:42.339180+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49755	110.4.45.197	56014	TCP
2025-01-10T19:16:49.648006+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.4	49759	110.4.45.197	21	TCP
2025-01-10T19:16:50.477613+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49760	110.4.45.197	58731	TCP
2025-01-10T19:16:50.483043+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49760	110.4.45.197	58731	TCP
2025-01-10T19:17:52.872682+0100	1800008	Joe Security MALWARE AgentTesla - FTP Exfil Screenshots	1	192.168.2.4	50000	110.4.45.197	65033	TCP
2025-01-10T19:17:53.843622+0100	1800007	Joe Security MALWARE AgentTesla - FTP Exfil Keyboard Logs	1	192.168.2.4	50008	110.4.45.197	62859	TCP
2025-01-10T19:17:56.489053+0100	1800008	Joe Security MALWARE AgentTesla - FTP Exfil Screenshots	1	192.168.2.4	50027	110.4.45.197	56202	TCP
2025-01-10T19:18:08.875649+0100	1800008	Joe Security MALWARE AgentTesla - FTP Exfil Screenshots	1	192.168.2.4	50038	110.4.45.197	64854	TCP
2025-01-10T19:18:23.666309+0100	1800008	Joe Security MALWARE AgentTesla - FTP Exfil Screenshots	1	192.168.2.4	50039	110.4.45.197	49158	TCP
2025-01-10T19:18:33.306104+0100	1800008	Joe Security MALWARE AgentTesla - FTP Exfil Screenshots	1	192.168.2.4	50041	110.4.45.197	64021	TCP
2025-01-10T19:18:33.357346+0100	1800008	Joe Security MALWARE AgentTesla - FTP Exfil Screenshots	1	192.168.2.4	50042	110.4.45.197	59944	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:16:22.941977978 CET	49735	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:22.942030907 CET	443	49735	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:22.942171097 CET	49735	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:22.954303980 CET	49735	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:22.954332113 CET	443	49735	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:23.452681065 CET	443	49735	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:23.452850103 CET	49735	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:23.456895113 CET	49735	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:23.456906080 CET	443	49735	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:23.457214117 CET	443	49735	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:23.508955002 CET	49735	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:23.700243950 CET	49735	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:23.743335962 CET	443	49735	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:23.818598032 CET	443	49735	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:23.818665981 CET	443	49735	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:23.818804026 CET	49735	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:23.926038980 CET	49735	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:25.260126114 CET	49737	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:25.264934063 CET	21	49737	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:25.265003920 CET	49737	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:25.283945084 CET	49737	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:25.288867950 CET	21	49737	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:25.288914919 CET	49737	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:25.385855913 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:25.390815973 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:25.390894890 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:26.217956066 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:26.218301058 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:26.223157883 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:26.551255941 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:26.551418066 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:26.556260109 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:26.951740980 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:26.951891899 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:26.956728935 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:27.287350893 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:27.288420916 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:27.293276072 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:27.611993074 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:27.612147093 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:27.617099047 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:27.976144075 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:27.976352930 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:27.981175900 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:28.299974918 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:28.300745010 CET	49740	56301	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:28.305627108 CET	56301	49740	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:28.305699110 CET	49740	56301	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:28.305877924 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:28.310676098 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:29.157676935 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:29.159796953 CET	49740	56301	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:29.159877062 CET	49740	56301	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:29.164778948 CET	56301	49740	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:29.164823055 CET	56301	49740	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:29.164834023 CET	56301	49740	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:29.165097952 CET	56301	49740	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:29.166157007 CET	49740	56301	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:29.320733070 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:29.495646000 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:29.496218920 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:29.501102924 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:29.820641994 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:29.821628094 CET	49741	62132	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:29.826585054 CET	62132	49741	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:29.826668024 CET	49741	62132	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:29.826813936 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:29.831617117 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:30.672576904 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:30.672864914 CET	49741	62132	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:30.677926064 CET	62132	49741	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:30.678142071 CET	49741	62132	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:30.789295912 CET	49742	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:30.789354086 CET	443	49742	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:30.789508104 CET	49742	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:30.795337915 CET	49742	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:30.795365095 CET	443	49742	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:30.820717096 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:30.996934891 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:31.133218050 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:31.281997919 CET	443	49742	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:31.282192945 CET	49742	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:31.283837080 CET	49742	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:31.283855915 CET	443	49742	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:31.284107924 CET	443	49742	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:31.340097904 CET	49742	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:31.383347988 CET	443	49742	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:31.450742006 CET	443	49742	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:31.450818062 CET	443	49742	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:31.450911999 CET	49742	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:31.454639912 CET	49742	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:32.856091976 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:32.861110926 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:32.861480951 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:33.685415983 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:33.685688019 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:33.690581083 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:34.012408018 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:34.012701035 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:34.017573118 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:34.378088951 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:34.380270004 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:34.387290001 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:34.705820084 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:34.820951939 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:34.882468939 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:34.887602091 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:35.217176914 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:35.221441031 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:35.226253986 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:35.568030119 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:35.568238020 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:35.573122025 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:35.894321918 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:35.895983934 CET	49748	49512	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:35.902194977 CET	49512	49748	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:35.902299881 CET	49748	49512	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:35.902329922 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:35.908437967 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:36.746552944 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:36.746850967 CET	49748	49512	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:36.746850967 CET	49748	49512	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:36.751679897 CET	49512	49748	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:36.752046108 CET	49512	49748	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:36.752254009 CET	49748	49512	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:36.820740938 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:36.893580914 CET	49750	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:36.893613100 CET	443	49750	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:36.893682003 CET	49750	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:36.897469997 CET	49750	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:36.897483110 CET	443	49750	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:37.072251081 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:37.096971035 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:37.101768017 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:37.359800100 CET	443	49750	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:37.359925985 CET	49750	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:37.365377903 CET	49750	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:37.365411997 CET	443	49750	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:37.365781069 CET	443	49750	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:37.424634933 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:37.430115938 CET	49750	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:37.634038925 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:37.854820967 CET	49750	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:37.861984015 CET	49752	49476	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:37.866924047 CET	49476	49752	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:37.867073059 CET	49752	49476	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:37.869219065 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:37.874052048 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:37.895349026 CET	443	49750	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:37.960191011 CET	443	49750	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:37.960268021 CET	443	49750	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:37.960493088 CET	49750	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:37.964201927 CET	49750	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:38.489074945 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:38.494086981 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:38.494178057 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:38.694217920 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:38.694434881 CET	49752	49476	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:38.694483995 CET	49752	49476	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:38.699376106 CET	49476	49752	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:38.699388981 CET	49476	49752	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:38.699405909 CET	49476	49752	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:38.699642897 CET	49476	49752	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:38.699704885 CET	49752	49476	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:38.820724964 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:39.020669937 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:39.022691011 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:39.027564049 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:39.347632885 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:39.348675013 CET	49754	55440	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:39.349699974 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:39.349905014 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:39.353539944 CET	55440	49754	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:39.353792906 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:39.354094982 CET	49754	55440	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:39.354749918 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:39.358628988 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:39.742343903 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:39.742525101 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:39.747453928 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:40.120299101 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:40.148365974 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:40.153579950 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:40.194278002 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:40.243350029 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:40.259349108 CET	49754	55440	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:40.264487982 CET	55440	49754	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:40.264570951 CET	49754	55440	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:40.485646963 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:40.487755060 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:40.492645979 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:40.606847048 CET	21	49743	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:40.648821115 CET	49743	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:40.824549913 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:40.824840069 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:40.829724073 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:41.161221027 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:41.161412001 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:41.166377068 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:41.497663021 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:41.498320103 CET	49755	56014	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:41.503226995 CET	56014	49755	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:41.503334045 CET	49755	56014	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:41.503463030 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:41.508354902 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:42.333451033 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:42.333821058 CET	49755	56014	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:42.333821058 CET	49755	56014	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:42.338617086 CET	56014	49755	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:42.339024067 CET	56014	49755	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:42.339179993 CET	49755	56014	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:42.383475065 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:42.662556887 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:42.686995983 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:42.691791058 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:43.022823095 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:43.028786898 CET	49756	57660	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:43.033657074 CET	57660	49756	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:43.033750057 CET	49756	57660	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:43.037434101 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:43.042293072 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:43.861056089 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:43.863132954 CET	49756	57660	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:43.863183975 CET	49756	57660	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:43.868166924 CET	57660	49756	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:43.868184090 CET	57660	49756	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:43.868190050 CET	57660	49756	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:43.868513107 CET	57660	49756	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:43.868587017 CET	49756	57660	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:43.914489985 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:44.193226099 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:44.193682909 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:44.198518038 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:44.530107021 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:44.530594110 CET	49757	52528	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:44.535489082 CET	52528	49757	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:44.535840988 CET	49757	52528	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:44.535860062 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:44.540661097 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:44.969388008 CET	49758	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:44.969424009 CET	443	49758	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:44.969559908 CET	49758	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:44.972794056 CET	49758	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:44.972814083 CET	443	49758	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:45.396611929 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:45.396967888 CET	49757	52528	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:45.402172089 CET	52528	49757	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:45.402223110 CET	49757	52528	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:45.445743084 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:45.465542078 CET	443	49758	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:45.465856075 CET	49758	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:45.471259117 CET	49758	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:45.471282005 CET	443	49758	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:45.471668959 CET	443	49758	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:45.523991108 CET	49758	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:45.737381935 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:45.789470911 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:46.054650068 CET	49758	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:46.095339060 CET	443	49758	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:46.198750973 CET	443	49758	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:46.198827982 CET	443	49758	104.26.12.205	192.168.2.4
Jan 10, 2025 19:16:46.198997974 CET	49758	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:46.203109026 CET	49758	443	192.168.2.4	104.26.12.205
Jan 10, 2025 19:16:46.710098028 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:46.715018988 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:46.715100050 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:47.572391033 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:47.572640896 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:47.577809095 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:47.901946068 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:47.902174950 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:47.907061100 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:48.285723925 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:48.286101103 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:48.290960073 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:48.646336079 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:48.647973061 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:48.652745008 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:48.977348089 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:48.977613926 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:48.982410908 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:49.307099104 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:49.307257891 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:49.312055111 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:49.639954090 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:49.640733957 CET	49760	58731	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:49.647762060 CET	58731	49760	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:49.647825956 CET	49760	58731	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:49.648005962 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:49.654890060 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:50.477369070 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:50.477612972 CET	49760	58731	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:50.477660894 CET	49760	58731	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:50.482758045 CET	58731	49760	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:50.482990980 CET	58731	49760	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:50.483042955 CET	49760	58731	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:50.523878098 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:50.809942961 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:50.837033033 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:50.842109919 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:51.167097092 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:51.168739080 CET	49761	61591	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:51.173713923 CET	61591	49761	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:51.173887014 CET	49761	61591	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:51.173996925 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:51.178920984 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:52.018157005 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:52.018369913 CET	49761	61591	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:52.018414974 CET	49761	61591	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:52.023214102 CET	61591	49761	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:52.023226023 CET	61591	49761	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:52.023236036 CET	61591	49761	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:52.023477077 CET	61591	49761	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:52.023525000 CET	49761	61591	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:52.070717096 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:52.372354984 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:52.372692108 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:52.377506971 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:52.701991081 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:52.702413082 CET	49762	63986	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:52.707211018 CET	63986	49762	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:52.707288027 CET	49762	63986	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:52.707375050 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:52.712209940 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:53.541420937 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:53.541642904 CET	49762	63986	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:53.546621084 CET	63986	49762	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:53.546683073 CET	49762	63986	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:53.586348057 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:16:53.871710062 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:16:53.930094957 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:51.693269014 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:51.698105097 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.029386044 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.029800892 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.034625053 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.034694910 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.034769058 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.039515972 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.677995920 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.682812929 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.722157955 CET	50005	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.727055073 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.730287075 CET	50005	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.867397070 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.867679119 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.872618914 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.872667074 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.872682095 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.872720957 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.872729063 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.872750998 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.872772932 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.872802973 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.872816086 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.872848988 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.872852087 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.872904062 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.872910023 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.872912884 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.872941971 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.872944117 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.872970104 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.872972012 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.873016119 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.873043060 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.877778053 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.877827883 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.877831936 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.877856016 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.877901077 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.877919912 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.877929926 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.877981901 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.877998114 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.877998114 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.878036976 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.878057003 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.878124952 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.878159046 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.878176928 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.878233910 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.878236055 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.878288984 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.878329992 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.878360987 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.882662058 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.882724047 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.882877111 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.882958889 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.883219004 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.883249998 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.883277893 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.883330107 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.883343935 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.883364916 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.883389950 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.883440018 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.883467913 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.883497953 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.883529902 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.887614012 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.887829065 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.887856960 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.887891054 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.888403893 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.888432980 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.888461113 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.888607025 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.888636112 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.888823986 CET	65033	50000	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:52.888880968 CET	50000	65033	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:52.914572001 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:53.002171040 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:53.002608061 CET	50008	62859	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:53.007539034 CET	62859	50008	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:53.007678032 CET	50008	62859	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:53.007759094 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:53.012612104 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:53.580358028 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:53.580503941 CET	50005	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:53.585367918 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:53.661854982 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:53.711556911 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:53.823311090 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:53.838401079 CET	50008	62859	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:53.838401079 CET	50008	62859	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:53.843266964 CET	62859	50008	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:53.843535900 CET	62859	50008	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:53.843621969 CET	50008	62859	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:53.867722988 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:53.917577982 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:53.927798033 CET	50005	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:53.932734966 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:54.162164927 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:54.190659046 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:54.195630074 CET	21	49738	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:54.195717096 CET	49738	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:54.211137056 CET	50015	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:54.215965986 CET	21	50015	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:54.216115952 CET	50015	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:54.216631889 CET	50015	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:54.221470118 CET	21	50015	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:54.221522093 CET	50015	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:54.303798914 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:54.303962946 CET	50005	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:54.308728933 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:54.641175032 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:54.641319036 CET	50005	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:54.646198988 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:54.766175032 CET	50021	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:54.771008968 CET	21	50021	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:54.771114111 CET	50021	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:54.771261930 CET	50021	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:54.776120901 CET	21	50021	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:54.776185989 CET	50021	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:54.978025913 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:54.978323936 CET	50005	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:54.983163118 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:55.315205097 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:55.315325975 CET	50005	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:55.320321083 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:55.651962996 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:55.652348042 CET	50027	56202	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:55.657150984 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:55.657218933 CET	50027	56202	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:55.657310963 CET	50005	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:55.662019014 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:55.687338114 CET	50028	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:55.692152023 CET	21	50028	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:55.695333958 CET	50028	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:55.695333958 CET	50028	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:55.700335026 CET	21	50028	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:55.705219030 CET	50028	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:55.966555119 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:55.971522093 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:55.971945047 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:56.483218908 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.483587027 CET	50027	56202	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:56.488673925 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.488701105 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.488718033 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.488732100 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.488756895 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.488770008 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.488828897 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.488842010 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.488887072 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.488965988 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.489053011 CET	50027	56202	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:56.494090080 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.494121075 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.494187117 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.494199991 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.494237900 CET	50027	56202	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:56.494272947 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.494286060 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.494307995 CET	50027	56202	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:56.494328022 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.494358063 CET	50027	56202	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:56.494373083 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.494522095 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.494535923 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.494570971 CET	50027	56202	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:56.494695902 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.494709969 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.494735956 CET	50027	56202	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:56.494774103 CET	50027	56202	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:56.494843960 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.499222994 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.499469042 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.499501944 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.499629974 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.499656916 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.499784946 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.499800920 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.499829054 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.499844074 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.499886990 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.499901056 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.499919891 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.500197887 CET	56202	50027	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.500293970 CET	50027	56202	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:56.523981094 CET	50005	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:56.822586060 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:56.822740078 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:56.827508926 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:57.153232098 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:57.153458118 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:57.158263922 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:57.284276009 CET	21	50005	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:57.336477041 CET	50005	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:57.523694038 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:57.523916960 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:57.528773069 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:57.892111063 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:57.894428968 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:57.899234056 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:58.226243973 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:58.226624012 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:58.231462955 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:58.557544947 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:58.557708979 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:58.562493086 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:58.888945103 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:58.889575958 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:58.894452095 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:58.894524097 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:58.894705057 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:58.899446964 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.773782015 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.774130106 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:59.778969049 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.778981924 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.779027939 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.779038906 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.779051065 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:59.779073000 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.779083967 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:59.779084921 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.779098988 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.779123068 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:59.779251099 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.779262066 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.779263020 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:59.779273033 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.779340982 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:59.783989906 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.784003019 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.784025908 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.784035921 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.784071922 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:59.784077883 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.784089088 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.784096003 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:59.784101009 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.784145117 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:59.784166098 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:59.784203053 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.784214973 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.784224033 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.784322977 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.784327984 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:59.784435987 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.784459114 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.784463882 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:59.788958073 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.788969994 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.788981915 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789026976 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789097071 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789165974 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789196968 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789249897 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789282084 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789488077 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789498091 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789506912 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789518118 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789536953 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789547920 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789597988 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789611101 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789796114 CET	56510	50037	110.4.45.197	192.168.2.4
Jan 10, 2025 19:17:59.789900064 CET	50037	56510	192.168.2.4	110.4.45.197
Jan 10, 2025 19:17:59.821048021 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:00.603761911 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:00.649122000 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:07.674279928 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:07.679274082 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.010173082 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.010642052 CET	50038	64854	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:08.015608072 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.015698910 CET	50038	64854	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:08.015813112 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:08.020565987 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.865932941 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.870378971 CET	50038	64854	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:08.875462055 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.875479937 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.875500917 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.875509977 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.875627995 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.875638962 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.875648975 CET	50038	64854	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:08.875669956 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.875713110 CET	50038	64854	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:08.875730038 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.875758886 CET	50038	64854	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:08.875827074 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.875839949 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.875853062 CET	50038	64854	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:08.878298998 CET	50038	64854	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:08.880569935 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.880584955 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.880604982 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.880616903 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.880654097 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.880692005 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.880711079 CET	50038	64854	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:08.880867958 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.880878925 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.880887032 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.880913973 CET	50038	64854	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:08.881122112 CET	50038	64854	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:08.883224964 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.885550976 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.885663986 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.885674000 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.885750055 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.885857105 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.885902882 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.886087894 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.886122942 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.886298895 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.886467934 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.886477947 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.886697054 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.886997938 CET	64854	50038	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:08.890424013 CET	50038	64854	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:09.008392096 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:09.661653042 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:09.714303970 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:22.377106905 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:22.382004976 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:22.815439939 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:22.817153931 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:22.822114944 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:22.822402954 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:22.822441101 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:22.827254057 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.660964012 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.661240101 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.666212082 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.666249990 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.666290998 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.666301012 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.666309118 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.666328907 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.666356087 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.666363955 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.666378021 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.666390896 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.666440010 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.666476011 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.666515112 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.666538954 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.666544914 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.666594982 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.671185970 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.671216011 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.671277046 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.671286106 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.671308041 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.671331882 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.671380997 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.671380997 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.671410084 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.671421051 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.671431065 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.671456099 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.671462059 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.671502113 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.671520948 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.671541929 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.671551943 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.671592951 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.671608925 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.676110029 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.676165104 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.676176071 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.676239967 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.676310062 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.676354885 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.676625967 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.676637888 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.676649094 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.676664114 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.676925898 CET	49158	50039	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:23.678360939 CET	50039	49158	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:23.711539030 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:24.456626892 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:24.536561012 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:29.792404890 CET	50040	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:29.797307968 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:29.797418118 CET	50040	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:30.613075018 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:30.613221884 CET	50040	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:30.618066072 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:30.936125040 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:30.936966896 CET	50040	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:30.941800117 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:31.280066013 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:31.296464920 CET	50040	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:31.301386118 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:31.619524002 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:31.620167971 CET	50040	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:31.625920057 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:31.943799019 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:31.943955898 CET	50040	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:31.948803902 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.138654947 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.143558979 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.184923887 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.189836025 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.267169952 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.267363071 CET	50040	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.272192001 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.388719082 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.393804073 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.468861103 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.469379902 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.474344969 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.474456072 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.474577904 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.479466915 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.521197081 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.521944046 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.526793003 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.526993990 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.526994944 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.531995058 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.590508938 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.590939999 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.595825911 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.595927000 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.595969915 CET	50040	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.600770950 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.736267090 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.737901926 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.742860079 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:32.743074894 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.743185997 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:32.748054028 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.300606966 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.301029921 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.306035995 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.306047916 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.306056976 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.306103945 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.306130886 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.306171894 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.306181908 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.306221962 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.306231022 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.306231976 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.306248903 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.306258917 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.306291103 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.306301117 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.306334972 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.310972929 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.310986042 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.310996056 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.311034918 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.311034918 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.311043024 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.311077118 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.311100006 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.311115026 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.311115026 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.311153889 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.311173916 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.311177015 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.311192036 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.311219931 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.311256886 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.311305046 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.311325073 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.311362028 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.311374903 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.311377048 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.311405897 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.311424971 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.315809965 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.315866947 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.315877914 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.315907001 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.315963984 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.315984964 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.316009998 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.316036940 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.316051006 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.316076040 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.316121101 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.316256046 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.316266060 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.316400051 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.316411018 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.316420078 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.320712090 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.320759058 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.320981026 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.320990086 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.321007967 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.321017981 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.321033955 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.321043015 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.321063042 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.321336031 CET	64021	50041	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.321382999 CET	50041	64021	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.352147102 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.352178097 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.352442980 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.357295036 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.357306957 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.357346058 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.357351065 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.357362032 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.357387066 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.357397079 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.357402086 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.357436895 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.357455015 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.357495070 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.357496023 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.357507944 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.357518911 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.357553005 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.357578039 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.362153053 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.362164021 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.362174988 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.362219095 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.362238884 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.362253904 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.362263918 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.362289906 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.362350941 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.362386942 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.362437010 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.362464905 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.362514019 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.362544060 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.362601995 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.367116928 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.367227077 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.367331028 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.367428064 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.367461920 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.367559910 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.367569923 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.367677927 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.367762089 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.367858887 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.367953062 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.368005991 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.368067026 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.368077040 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.368102074 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.368112087 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.368160009 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.368169069 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.368206978 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.368216991 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.368392944 CET	59944	50042	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.368462086 CET	50042	59944	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.399065971 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.416876078 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.417121887 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.421977997 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.421998978 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.422046900 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.422049046 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.422071934 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.422079086 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.422091007 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.422101974 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.422120094 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.422121048 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.422141075 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.422177076 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.422194004 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.422204018 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.422240019 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.422241926 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.422400951 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.426933050 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.426944971 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.427012920 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.427037001 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.427047014 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.427094936 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.427098989 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.427110910 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.427114010 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.427143097 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.427145004 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.427154064 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.427186012 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.427194118 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.427239895 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.427292109 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.427306890 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.427340031 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.427419901 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.427423000 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.427510023 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432017088 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432037115 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432077885 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432127953 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432173967 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432193995 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432234049 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432288885 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432322025 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432339907 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432410955 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432421923 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432465076 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432476044 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432526112 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432535887 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432559967 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432569027 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432782888 CET	62570	50043	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.432845116 CET	50043	62570	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.461594105 CET	50040	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.569226027 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.569480896 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.574439049 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.574450970 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.574470997 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.574481010 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.574489117 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.574498892 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.574517965 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.574542999 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.574589014 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.574594021 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.574604988 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.574613094 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.574634075 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.574635029 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.574660063 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.574678898 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.579348087 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.579406023 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.579457998 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.579468012 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.579510927 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.579526901 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.579530001 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.579561949 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.579585075 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.579597950 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.579607964 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.579634905 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.579653978 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.579675913 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.579694986 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.579714060 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.579751968 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.579754114 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.579766989 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.579787970 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.579847097 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.579894066 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.584209919 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.584328890 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.584330082 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.584355116 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.584397078 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.584414005 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.584458113 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.584507942 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.584517956 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.584542990 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.584562063 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.584587097 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.584611893 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.584726095 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.584737062 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.584779024 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.589253902 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.589277029 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.589287043 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.589323997 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.589334011 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.589371920 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.589380980 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.589456081 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.589466095 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.589493990 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.589633942 CET	50413	50044	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:33.589674950 CET	50044	50413	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:33.617810965 CET	50031	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:34.095834970 CET	21	49759	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:34.146756887 CET	21	49753	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:34.149044037 CET	49759	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:34.195919037 CET	49753	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:34.208699942 CET	21	50040	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:34.258420944 CET	50040	21	192.168.2.4	110.4.45.197
Jan 10, 2025 19:18:34.368439913 CET	21	50031	110.4.45.197	192.168.2.4
Jan 10, 2025 19:18:34.414740086 CET	50031	21	192.168.2.4	110.4.45.197

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:16:22.900721073 CET	64483	53	192.168.2.4	1.1.1.1
Jan 10, 2025 19:16:22.908207893 CET	53	64483	1.1.1.1	192.168.2.4
Jan 10, 2025 19:16:25.016216993 CET	56502	53	192.168.2.4	1.1.1.1
Jan 10, 2025 19:16:25.259402990 CET	53	56502	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 19:16:22.900721073 CET	192.168.2.4	1.1.1.1	0x4c38	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:16:25.016216993 CET	192.168.2.4	1.1.1.1	0x350e	Standard query (0)	ftp.haliza.com.my	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 19:16:22.908207893 CET	1.1.1.1	192.168.2.4	0x4c38	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:16:22.908207893 CET	1.1.1.1	192.168.2.4	0x4c38	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:16:22.908207893 CET	1.1.1.1	192.168.2.4	0x4c38	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:16:25.259402990 CET	1.1.1.1	192.168.2.4	0x350e	No error (0)	ftp.haliza.com.my	110.4.45.197	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	104.26.12.205	443	7948	C:\Users\user\Desktop\s2Jg1MAahY.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 18:16:23 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-10 18:16:23 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 18:16:23 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ffea86c7b1ec413-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1573&rtt_var=599&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1856325&cwnd=181&unsent_bytes=0&cid=efb3720ebe144b26&ts=385&x=0"
2025-01-10 18:16:23 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49742	104.26.12.205	443	7436	C:\Users\user\AppData\Roaming\GedTanqRR.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 18:16:31 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-10 18:16:31 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 18:16:31 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ffea89c3a6318d0-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1485&min_rtt=1474&rtt_var=575&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1864623&cwnd=191&unsent_bytes=0&cid=735a06f0baba7473&ts=176&x=0"
2025-01-10 18:16:31 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49750	104.26.12.205	443	7960	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 18:16:37 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-10 18:16:37 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 18:16:37 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ffea8c4eda7de98-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1494&min_rtt=1491&rtt_var=567&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1918528&cwnd=212&unsent_bytes=0&cid=6cbc174811b8c4f8&ts=604&x=0"
2025-01-10 18:16:37 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49758	104.26.12.205	443	5472	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 18:16:46 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-10 18:16:46 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 18:16:46 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ffea8f82eae4277-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1578&rtt_var=654&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1596500&cwnd=197&unsent_bytes=0&cid=6eb1fe12d1014043&ts=738&x=0"
2025-01-10 18:16:46 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 10, 2025 19:16:26.217956066 CET	21	49738	110.4.45.197	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 02:16. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 10, 2025 19:16:26.218301058 CET	49738	21	192.168.2.4	110.4.45.197	USER origin@haliza.com.my
Jan 10, 2025 19:16:26.551255941 CET	21	49738	110.4.45.197	192.168.2.4	331 User origin@haliza.com.my OK. Password required
Jan 10, 2025 19:16:26.551418066 CET	49738	21	192.168.2.4	110.4.45.197	PASS JesusChrist007$
Jan 10, 2025 19:16:26.951740980 CET	21	49738	110.4.45.197	192.168.2.4	230 OK. Current restricted directory is /
Jan 10, 2025 19:16:27.287350893 CET	21	49738	110.4.45.197	192.168.2.4	504 Unknown command
Jan 10, 2025 19:16:27.288420916 CET	49738	21	192.168.2.4	110.4.45.197	PWD
Jan 10, 2025 19:16:27.611993074 CET	21	49738	110.4.45.197	192.168.2.4	257 "/" is your current location
Jan 10, 2025 19:16:27.612147093 CET	49738	21	192.168.2.4	110.4.45.197	TYPE I
Jan 10, 2025 19:16:27.976144075 CET	21	49738	110.4.45.197	192.168.2.4	200 TYPE is now 8-bit binary
Jan 10, 2025 19:16:27.976352930 CET	49738	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:16:28.299974918 CET	21	49738	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,219,237)
Jan 10, 2025 19:16:28.305877924 CET	49738	21	192.168.2.4	110.4.45.197	STOR CO_Chrome_Default.txt_user-745481_2025_01_10_13_46_23.txt
Jan 10, 2025 19:16:29.157676935 CET	21	49738	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:16:29.495646000 CET	21	49738	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.338 seconds (measured here), 9.70 Kbytes per second
Jan 10, 2025 19:16:29.496218920 CET	49738	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:16:29.820641994 CET	21	49738	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,242,180)
Jan 10, 2025 19:16:29.826813936 CET	49738	21	192.168.2.4	110.4.45.197	STOR CO_Firefox_fqs92o4p.default-release.txt_user-745481_2025_01_10_19_35_02.txt
Jan 10, 2025 19:16:30.672576904 CET	21	49738	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:16:30.996934891 CET	21	49738	110.4.45.197	192.168.2.4	226 File successfully transferred
Jan 10, 2025 19:16:33.685415983 CET	21	49743	110.4.45.197	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 02:16. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 10, 2025 19:16:33.685688019 CET	49743	21	192.168.2.4	110.4.45.197	USER origin@haliza.com.my
Jan 10, 2025 19:16:34.012408018 CET	21	49743	110.4.45.197	192.168.2.4	331 User origin@haliza.com.my OK. Password required
Jan 10, 2025 19:16:34.012701035 CET	49743	21	192.168.2.4	110.4.45.197	PASS JesusChrist007$
Jan 10, 2025 19:16:34.378088951 CET	21	49743	110.4.45.197	192.168.2.4	230 OK. Current restricted directory is /
Jan 10, 2025 19:16:34.705820084 CET	21	49743	110.4.45.197	192.168.2.4	504 Unknown command
Jan 10, 2025 19:16:34.882468939 CET	49743	21	192.168.2.4	110.4.45.197	PWD
Jan 10, 2025 19:16:35.217176914 CET	21	49743	110.4.45.197	192.168.2.4	257 "/" is your current location
Jan 10, 2025 19:16:35.221441031 CET	49743	21	192.168.2.4	110.4.45.197	TYPE I
Jan 10, 2025 19:16:35.568030119 CET	21	49743	110.4.45.197	192.168.2.4	200 TYPE is now 8-bit binary
Jan 10, 2025 19:16:35.568238020 CET	49743	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:16:35.894321918 CET	21	49743	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,193,104)
Jan 10, 2025 19:16:35.902329922 CET	49743	21	192.168.2.4	110.4.45.197	STOR PW_user-745481_2025_01_10_13_16_31.html
Jan 10, 2025 19:16:36.746552944 CET	21	49743	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:16:37.072251081 CET	21	49743	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.335 seconds (measured here), 1.01 Kbytes per second
Jan 10, 2025 19:16:37.096971035 CET	49743	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:16:37.424634933 CET	21	49743	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,193,68)
Jan 10, 2025 19:16:37.869219065 CET	49743	21	192.168.2.4	110.4.45.197	STOR CO_Chrome_Default.txt_user-745481_2025_01_10_18_35_29.txt
Jan 10, 2025 19:16:38.694217920 CET	21	49743	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:16:39.020669937 CET	21	49743	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.326 seconds (measured here), 10.05 Kbytes per second
Jan 10, 2025 19:16:39.022691011 CET	49743	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:16:39.347632885 CET	21	49743	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,216,144)
Jan 10, 2025 19:16:39.349699974 CET	21	49753	110.4.45.197	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 02:16. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 10, 2025 19:16:39.349905014 CET	49753	21	192.168.2.4	110.4.45.197	USER origin@haliza.com.my
Jan 10, 2025 19:16:39.353792906 CET	49743	21	192.168.2.4	110.4.45.197	STOR CO_Firefox_fqs92o4p.default-release.txt_user-745481_2025_01_10_20_44_20.txt
Jan 10, 2025 19:16:39.742343903 CET	21	49753	110.4.45.197	192.168.2.4	331 User origin@haliza.com.my OK. Password required
Jan 10, 2025 19:16:39.742525101 CET	49753	21	192.168.2.4	110.4.45.197	PASS JesusChrist007$
Jan 10, 2025 19:16:40.120299101 CET	21	49753	110.4.45.197	192.168.2.4	230 OK. Current restricted directory is /
Jan 10, 2025 19:16:40.194278002 CET	21	49743	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:16:40.485646963 CET	21	49753	110.4.45.197	192.168.2.4	504 Unknown command
Jan 10, 2025 19:16:40.487755060 CET	49753	21	192.168.2.4	110.4.45.197	PWD
Jan 10, 2025 19:16:40.606847048 CET	21	49743	110.4.45.197	192.168.2.4	226 File successfully transferred
Jan 10, 2025 19:16:40.824549913 CET	21	49753	110.4.45.197	192.168.2.4	257 "/" is your current location
Jan 10, 2025 19:16:40.824840069 CET	49753	21	192.168.2.4	110.4.45.197	TYPE I
Jan 10, 2025 19:16:41.161221027 CET	21	49753	110.4.45.197	192.168.2.4	200 TYPE is now 8-bit binary
Jan 10, 2025 19:16:41.161412001 CET	49753	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:16:41.497663021 CET	21	49753	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,218,206)
Jan 10, 2025 19:16:41.503463030 CET	49753	21	192.168.2.4	110.4.45.197	STOR PW_user-745481_2025_01_10_13_16_37.html
Jan 10, 2025 19:16:42.333451033 CET	21	49753	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:16:42.662556887 CET	21	49753	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.330 seconds (measured here), 1.03 Kbytes per second
Jan 10, 2025 19:16:42.686995983 CET	49753	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:16:43.022823095 CET	21	49753	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,225,60)
Jan 10, 2025 19:16:43.037434101 CET	49753	21	192.168.2.4	110.4.45.197	STOR CO_Chrome_Default.txt_user-745481_2025_01_10_19_15_26.txt
Jan 10, 2025 19:16:43.861056089 CET	21	49753	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:16:44.193226099 CET	21	49753	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.331 seconds (measured here), 9.90 Kbytes per second
Jan 10, 2025 19:16:44.193682909 CET	49753	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:16:44.530107021 CET	21	49753	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,205,48)
Jan 10, 2025 19:16:44.535860062 CET	49753	21	192.168.2.4	110.4.45.197	STOR CO_Firefox_fqs92o4p.default-release.txt_user-745481_2025_01_10_21_14_27.txt
Jan 10, 2025 19:16:45.396611929 CET	21	49753	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:16:45.737381935 CET	21	49753	110.4.45.197	192.168.2.4	226 File successfully transferred
Jan 10, 2025 19:16:47.572391033 CET	21	49759	110.4.45.197	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 02:16. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 02:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 10, 2025 19:16:47.572640896 CET	49759	21	192.168.2.4	110.4.45.197	USER origin@haliza.com.my
Jan 10, 2025 19:16:47.901946068 CET	21	49759	110.4.45.197	192.168.2.4	331 User origin@haliza.com.my OK. Password required
Jan 10, 2025 19:16:47.902174950 CET	49759	21	192.168.2.4	110.4.45.197	PASS JesusChrist007$
Jan 10, 2025 19:16:48.285723925 CET	21	49759	110.4.45.197	192.168.2.4	230 OK. Current restricted directory is /
Jan 10, 2025 19:16:48.646336079 CET	21	49759	110.4.45.197	192.168.2.4	504 Unknown command
Jan 10, 2025 19:16:48.647973061 CET	49759	21	192.168.2.4	110.4.45.197	PWD
Jan 10, 2025 19:16:48.977348089 CET	21	49759	110.4.45.197	192.168.2.4	257 "/" is your current location
Jan 10, 2025 19:16:48.977613926 CET	49759	21	192.168.2.4	110.4.45.197	TYPE I
Jan 10, 2025 19:16:49.307099104 CET	21	49759	110.4.45.197	192.168.2.4	200 TYPE is now 8-bit binary
Jan 10, 2025 19:16:49.307257891 CET	49759	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:16:49.639954090 CET	21	49759	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,229,107)
Jan 10, 2025 19:16:49.648005962 CET	49759	21	192.168.2.4	110.4.45.197	STOR PW_user-745481_2025_01_10_13_16_45.html
Jan 10, 2025 19:16:50.477369070 CET	21	49759	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:16:50.809942961 CET	21	49759	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.332 seconds (measured here), 1.02 Kbytes per second
Jan 10, 2025 19:16:50.837033033 CET	49759	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:16:51.167097092 CET	21	49759	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,240,151)
Jan 10, 2025 19:16:51.173996925 CET	49759	21	192.168.2.4	110.4.45.197	STOR CO_Chrome_Default.txt_user-745481_2025_01_10_19_25_32.txt
Jan 10, 2025 19:16:52.018157005 CET	21	49759	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:16:52.372354984 CET	21	49759	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.331 seconds (measured here), 9.90 Kbytes per second
Jan 10, 2025 19:16:52.372692108 CET	49759	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:16:52.701991081 CET	21	49759	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,249,242)
Jan 10, 2025 19:16:52.707375050 CET	49759	21	192.168.2.4	110.4.45.197	STOR CO_Firefox_fqs92o4p.default-release.txt_user-745481_2025_01_10_21_34_29.txt
Jan 10, 2025 19:16:53.541420937 CET	21	49759	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:16:53.871710062 CET	21	49759	110.4.45.197	192.168.2.4	226 File successfully transferred
Jan 10, 2025 19:17:51.693269014 CET	49753	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:17:52.029386044 CET	21	49753	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,254,9)
Jan 10, 2025 19:17:52.034769058 CET	49753	21	192.168.2.4	110.4.45.197	STOR SC_user-745481_2025_01_19_05_33_21.jpeg
Jan 10, 2025 19:17:52.677995920 CET	49738	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:17:52.867397070 CET	21	49753	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:17:53.002171040 CET	21	49738	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,245,139)
Jan 10, 2025 19:17:53.007759094 CET	49738	21	192.168.2.4	110.4.45.197	STOR KL_user-745481_2025_01_24_06_41_35.html
Jan 10, 2025 19:17:53.580358028 CET	21	50005	110.4.45.197	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 02:17. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 02:17. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 02:17. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 02:17. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 10, 2025 19:17:53.580503941 CET	50005	21	192.168.2.4	110.4.45.197	USER origin@haliza.com.my
Jan 10, 2025 19:17:53.661854982 CET	21	49753	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.794 seconds (measured here), 93.24 Kbytes per second
Jan 10, 2025 19:17:53.823311090 CET	21	49738	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:17:53.917577982 CET	21	50005	110.4.45.197	192.168.2.4	331 User origin@haliza.com.my OK. Password required
Jan 10, 2025 19:17:53.927798033 CET	50005	21	192.168.2.4	110.4.45.197	PASS JesusChrist007$
Jan 10, 2025 19:17:54.162164927 CET	21	49738	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.339 seconds (measured here), 0.81 Kbytes per second
Jan 10, 2025 19:17:54.303798914 CET	21	50005	110.4.45.197	192.168.2.4	230 OK. Current restricted directory is /
Jan 10, 2025 19:17:54.641175032 CET	21	50005	110.4.45.197	192.168.2.4	504 Unknown command
Jan 10, 2025 19:17:54.641319036 CET	50005	21	192.168.2.4	110.4.45.197	PWD
Jan 10, 2025 19:17:54.978025913 CET	21	50005	110.4.45.197	192.168.2.4	257 "/" is your current location
Jan 10, 2025 19:17:54.978323936 CET	50005	21	192.168.2.4	110.4.45.197	TYPE I
Jan 10, 2025 19:17:55.315205097 CET	21	50005	110.4.45.197	192.168.2.4	200 TYPE is now 8-bit binary
Jan 10, 2025 19:17:55.315325975 CET	50005	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:17:55.651962996 CET	21	50005	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,219,138)
Jan 10, 2025 19:17:55.657310963 CET	50005	21	192.168.2.4	110.4.45.197	STOR SC_user-745481_2025_01_24_07_31_47.jpeg
Jan 10, 2025 19:17:56.483218908 CET	21	50005	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:17:56.822586060 CET	21	50031	110.4.45.197	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 02:17. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 02:17. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 02:17. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 02:17. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 10, 2025 19:17:56.822740078 CET	50031	21	192.168.2.4	110.4.45.197	USER origin@haliza.com.my
Jan 10, 2025 19:17:57.153232098 CET	21	50031	110.4.45.197	192.168.2.4	331 User origin@haliza.com.my OK. Password required
Jan 10, 2025 19:17:57.153458118 CET	50031	21	192.168.2.4	110.4.45.197	PASS JesusChrist007$
Jan 10, 2025 19:17:57.284276009 CET	21	50005	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.801 seconds (measured here), 92.43 Kbytes per second
Jan 10, 2025 19:17:57.523694038 CET	21	50031	110.4.45.197	192.168.2.4	230 OK. Current restricted directory is /
Jan 10, 2025 19:17:57.892111063 CET	21	50031	110.4.45.197	192.168.2.4	504 Unknown command
Jan 10, 2025 19:17:57.894428968 CET	50031	21	192.168.2.4	110.4.45.197	PWD
Jan 10, 2025 19:17:58.226243973 CET	21	50031	110.4.45.197	192.168.2.4	257 "/" is your current location
Jan 10, 2025 19:17:58.226624012 CET	50031	21	192.168.2.4	110.4.45.197	TYPE I
Jan 10, 2025 19:17:58.557544947 CET	21	50031	110.4.45.197	192.168.2.4	200 TYPE is now 8-bit binary
Jan 10, 2025 19:17:58.557708979 CET	50031	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:17:58.888945103 CET	21	50031	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,220,190)
Jan 10, 2025 19:17:58.894705057 CET	50031	21	192.168.2.4	110.4.45.197	STOR SC_user-745481_2025_02_03_04_40_23.jpeg
Jan 10, 2025 19:17:59.773782015 CET	21	50031	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:18:00.603761911 CET	21	50031	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.832 seconds (measured here), 89.04 Kbytes per second
Jan 10, 2025 19:18:07.674279928 CET	49753	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:18:08.010173082 CET	21	49753	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,253,86)
Jan 10, 2025 19:18:08.015813112 CET	49753	21	192.168.2.4	110.4.45.197	STOR SC_user-745481_2025_01_28_00_15_09.jpeg
Jan 10, 2025 19:18:08.865932941 CET	21	49753	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:18:09.661653042 CET	21	49753	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.796 seconds (measured here), 93.08 Kbytes per second
Jan 10, 2025 19:18:22.377106905 CET	49759	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:18:22.815439939 CET	21	49759	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,192,6)
Jan 10, 2025 19:18:22.822441101 CET	49759	21	192.168.2.4	110.4.45.197	STOR SC_user-745481_2025_01_28_21_20_30.jpeg
Jan 10, 2025 19:18:23.660964012 CET	21	49759	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:18:24.456626892 CET	21	49759	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.795 seconds (measured here), 93.12 Kbytes per second
Jan 10, 2025 19:18:30.613075018 CET	21	50040	110.4.45.197	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 02:18. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 02:18. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 02:18. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 02:18. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 10, 2025 19:18:30.613221884 CET	50040	21	192.168.2.4	110.4.45.197	USER origin@haliza.com.my
Jan 10, 2025 19:18:30.936125040 CET	21	50040	110.4.45.197	192.168.2.4	331 User origin@haliza.com.my OK. Password required
Jan 10, 2025 19:18:30.936966896 CET	50040	21	192.168.2.4	110.4.45.197	PASS JesusChrist007$
Jan 10, 2025 19:18:31.280066013 CET	21	50040	110.4.45.197	192.168.2.4	230 OK. Current restricted directory is /
Jan 10, 2025 19:18:31.619524002 CET	21	50040	110.4.45.197	192.168.2.4	504 Unknown command
Jan 10, 2025 19:18:31.620167971 CET	50040	21	192.168.2.4	110.4.45.197	PWD
Jan 10, 2025 19:18:31.943799019 CET	21	50040	110.4.45.197	192.168.2.4	257 "/" is your current location
Jan 10, 2025 19:18:31.943955898 CET	50040	21	192.168.2.4	110.4.45.197	TYPE I
Jan 10, 2025 19:18:32.138654947 CET	49759	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:18:32.184923887 CET	49753	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:18:32.267169952 CET	21	50040	110.4.45.197	192.168.2.4	200 TYPE is now 8-bit binary
Jan 10, 2025 19:18:32.267363071 CET	50040	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:18:32.388719082 CET	50031	21	192.168.2.4	110.4.45.197	PASV
Jan 10, 2025 19:18:32.468861103 CET	21	49759	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,250,21)
Jan 10, 2025 19:18:32.474577904 CET	49759	21	192.168.2.4	110.4.45.197	STOR SC_user-745481_2025_01_10_13_18_31.jpeg
Jan 10, 2025 19:18:32.521197081 CET	21	49753	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,234,40)
Jan 10, 2025 19:18:32.526994944 CET	49753	21	192.168.2.4	110.4.45.197	STOR SC_user-745481_2025_01_10_13_18_31.jpeg
Jan 10, 2025 19:18:32.590508938 CET	21	50040	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,244,106)
Jan 10, 2025 19:18:32.595969915 CET	50040	21	192.168.2.4	110.4.45.197	STOR SC_user-745481_2025_01_10_13_18_28.jpeg
Jan 10, 2025 19:18:32.736267090 CET	21	50031	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,196,237)
Jan 10, 2025 19:18:32.743185997 CET	50031	21	192.168.2.4	110.4.45.197	STOR SC_user-745481_2025_01_10_13_18_31.jpeg
Jan 10, 2025 19:18:33.300606966 CET	21	49759	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:18:33.352147102 CET	21	49753	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:18:33.416876078 CET	21	50040	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:18:33.569226027 CET	21	50031	110.4.45.197	192.168.2.4	150 Accepted data connection
Jan 10, 2025 19:18:34.095834970 CET	21	49759	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.795 seconds (measured here), 95.09 Kbytes per second
Jan 10, 2025 19:18:34.146756887 CET	21	49753	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.794 seconds (measured here), 95.27 Kbytes per second
Jan 10, 2025 19:18:34.208699942 CET	21	50040	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.791 seconds (measured here), 93.64 Kbytes per second
Jan 10, 2025 19:18:34.368439913 CET	21	50031	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.801 seconds (measured here), 94.53 Kbytes per second

Target ID:	0
Start time:	13:16:17
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\s2Jg1MAahY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\s2Jg1MAahY.exe"
Imagebase:	0xb20000
File size:	837'640 bytes
MD5 hash:	6239C4047E0F1C4F55A96199E77D3669
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1773872051.0000000004A92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1773872051.0000000004A92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:16:20
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\s2Jg1MAahY.exe"
Imagebase:	0x700000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:16:20
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:16:21
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GedTanqRR.exe"
Imagebase:	0x700000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:16:21
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:16:21
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpF8DD.tmp"
Imagebase:	0xce0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:16:21
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:16:21
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\s2Jg1MAahY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\s2Jg1MAahY.exe"
Imagebase:	0xe50000
File size:	837'640 bytes
MD5 hash:	6239C4047E0F1C4F55A96199E77D3669
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2977044627.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2977044627.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2977044627.00000000032CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	13:16:22
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\GedTanqRR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\GedTanqRR.exe
Imagebase:	0xda0000
File size:	837'640 bytes
MD5 hash:	6239C4047E0F1C4F55A96199E77D3669
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1854063501.0000000004C3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1854063501.0000000004C3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1854063501.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1854063501.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:16:25
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:16:28
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmpE4A.tmp"
Imagebase:	0xce0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:16:29
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:16:29
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\GedTanqRR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GedTanqRR.exe"
Imagebase:	0x9a0000
File size:	837'640 bytes
MD5 hash:	6239C4047E0F1C4F55A96199E77D3669
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2976437638.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2976437638.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2976437638.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	13:16:34
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Imagebase:	0xfc0000
File size:	837'640 bytes
MD5 hash:	6239C4047E0F1C4F55A96199E77D3669
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.1918087486.0000000005023000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.1918087486.0000000005023000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:16:35
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmp30F5.tmp"
Imagebase:	0xce0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:16:35
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:16:35
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Imagebase:	0x280000
File size:	837'640 bytes
MD5 hash:	6239C4047E0F1C4F55A96199E77D3669
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:16:35
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Imagebase:	0xe30000
File size:	837'640 bytes
MD5 hash:	6239C4047E0F1C4F55A96199E77D3669
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.2978687835.000000000335C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2978687835.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.2978687835.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	13:16:42
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Imagebase:	0x810000
File size:	837'640 bytes
MD5 hash:	6239C4047E0F1C4F55A96199E77D3669
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:16:43
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GedTanqRR" /XML "C:\Users\user\AppData\Local\Temp\tmp50A2.tmp"
Imagebase:	0xce0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:16:43
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:16:43
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Imagebase:	0x790000
File size:	837'640 bytes
MD5 hash:	6239C4047E0F1C4F55A96199E77D3669
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.2977002334.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.2977002334.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.2977002334.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	132
Total number of Limit Nodes:	7

Executed Functions

Function 07A54180 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TuA, xrefs: 07A542F0
UC;", xrefs: 07A5436E

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: ec2aeeb82e19627846d354a957c17f685b8a4c8644dc34f7c8a64a065d507bed
Instruction ID: 8c6a8900c8fcdf8cbf576b4dbca0bc3a55d164d77e1543641d2441c06bd7ba84
Opcode Fuzzy Hash: ec2aeeb82e19627846d354a957c17f685b8a4c8644dc34f7c8a64a065d507bed
Instruction Fuzzy Hash: 6391F6B9D15209EFCB08CFE6D58059EFFB2BF89310F20942AE825A7264D7349652CF50

Function 07A54170 Relevance: 2.7, Strings: 2, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TuA, xrefs: 07A542F0
UC;", xrefs: 07A5436E

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: 0b0c17729a8dc70cf220823d15b1d46fc9505cef6c45b8dd1b16e83fa155cb7b
Instruction ID: 2423cc46df960704d81be68c7bfea2990738b7e935544aff88dce1325978e6bf
Opcode Fuzzy Hash: 0b0c17729a8dc70cf220823d15b1d46fc9505cef6c45b8dd1b16e83fa155cb7b
Instruction Fuzzy Hash: DA91F5B9D15209EFCB08CFE5E58459EFFB2BF89310F20942AE825A7264D7349652CF40

Function 07A52B4A Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

5=6, xrefs: 07A52C86

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: 77e4dc7c28a511171209a36b30ba2dc7f4c3032016e4cc31bb00e631a501460c
Instruction ID: 394686e5b405cb203e4b9b2a1131e137a2fa54d0da55c677c71eeaceda40b2c7
Opcode Fuzzy Hash: 77e4dc7c28a511171209a36b30ba2dc7f4c3032016e4cc31bb00e631a501460c
Instruction Fuzzy Hash: C77138B4E1521ADFCB04CFA6D8455AEFFB2BF8A201F10D42AD826E7254DB349A018F50

Function 07A52B58 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

5=6, xrefs: 07A52C86

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: 04f5982e069dc2c62ed93bf6611c83132bbbfa21546e9b238d7348f5b42bed0f
Instruction ID: c4e01c077c97c41b9bcbf0363b939d7a2c21c3cafa7c51d2b42c750498d9116b
Opcode Fuzzy Hash: 04f5982e069dc2c62ed93bf6611c83132bbbfa21546e9b238d7348f5b42bed0f
Instruction Fuzzy Hash: 336138B4E1520ADFCB08CFA6D8455AEFBF2BF89201F10D42AD826E7254DB349A018F50

Function 0ED53078 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784016502.000000000ED50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ED50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb96cb6c95d086e2ef5beb027f58cb7ff08f88dc613eac53de8ddc4cea28ac1
Instruction ID: 07c30fc26bfa1ccbb2741112b41e861b245d92134edae01956a8f320bd721d4d
Opcode Fuzzy Hash: ceb96cb6c95d086e2ef5beb027f58cb7ff08f88dc613eac53de8ddc4cea28ac1
Instruction Fuzzy Hash: EEC18A727006008BEB19EB6AC460BAAB6F6EF89740F24446ED946CB3A4DB34DC45CB51

Function 07A54A80 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e02a0c0644c09f0578c69124afe56b69c2c6d811007e0d74050ec0667e1d1dc7
Instruction ID: 809dfd63cda8298dc1c27a5f5d823f07560749efc31be637a401c1caedc16416
Opcode Fuzzy Hash: e02a0c0644c09f0578c69124afe56b69c2c6d811007e0d74050ec0667e1d1dc7
Instruction Fuzzy Hash: BDB126B5D15249DFCB18CFE6D58069EFBB2BF89304F20D42AD429AB254DB349A46CF10

Function 07A54A71 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cdfeb4f1adf77f3b88eeef1ff711f5551d258ab7054de2db9352908274e6b97
Instruction ID: 93a64ffe01a3c98f85e026e7f12f25587f9684f35a3b4ce5f5f6f6624f310c50
Opcode Fuzzy Hash: 9cdfeb4f1adf77f3b88eeef1ff711f5551d258ab7054de2db9352908274e6b97
Instruction Fuzzy Hash: 38B106B5D15249DFCB18CFE6D58069EFBB2BF89304F20D42AD429AB254DB349A46CF10

Function 07A52FAA Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41160f8fd7a8e1e94cc69cd3f92ed89688e380005de585437aa7b9b098c6b335
Instruction ID: aabc805cbd02d314c2a2fcbdb6f7e8e827ff1c2d07877081ea92dd38779c650d
Opcode Fuzzy Hash: 41160f8fd7a8e1e94cc69cd3f92ed89688e380005de585437aa7b9b098c6b335
Instruction Fuzzy Hash: 764193B0E2520ADFCB04CFA5D5416AEFFF2FB99300F20946AC815B7294D3749B458B94

Function 0ED5147A Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784016502.000000000ED50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ED50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74a309e0076351548dfa0c6014536016a6677ca1dfd6b4d5c814f8200802d05
Instruction ID: fa6740ed2cf0894df420543f38040efaaa8a60639e0e666a4a0aeb4a3023104a
Opcode Fuzzy Hash: f74a309e0076351548dfa0c6014536016a6677ca1dfd6b4d5c814f8200802d05
Instruction Fuzzy Hash: 6EE0C269C0F584DFCB41DB2055C47F87FF8DB0B100F4820D5DC99A7602D5309D448B14

Function 0ED51991 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784016502.000000000ED50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ED50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f45b61bc01e4c423e4faa9cdb54ab5b600a77a33b6969e96a9762685002b24f
Instruction ID: b4e2538cde207f49f2c7da7c9be6b9216aec89a3542fb93dd4d9df6852bc63e2
Opcode Fuzzy Hash: 3f45b61bc01e4c423e4faa9cdb54ab5b600a77a33b6969e96a9762685002b24f
Instruction Fuzzy Hash: DAA00242E4FE01819D000C4319C0AF1D17DC64F160DC8305019DA376C7A890FC12110C

Function 07A5EF08 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A5F13E

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: efb8b2a45d998b6795b51573e846b1abee61d7ce217e6c235e9d03d7b93911e0
Instruction ID: 42f08d5aae796b137e61e153c30bad3ae750c462b7ad9a9f6230cb62d9c77b36
Opcode Fuzzy Hash: efb8b2a45d998b6795b51573e846b1abee61d7ce217e6c235e9d03d7b93911e0
Instruction Fuzzy Hash: 0C916FB1D0021ADFDF14DF69C841BDEBBB2BF84310F148569E819A7240EB749985CF92

Function 0143AD68 Relevance: 1.7, APIs: 1, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0143AFBE

Memory Dump Source

Source File: 00000000.00000002.1772730114.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_s2Jg1MAahY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0a0ca727a53163101e710f368362f7b49de6b94b60d1860159a5830ae6d7bc46
Instruction ID: 912e1d7553046d9716e31e08ab33ad0ebf5b154541e8ea214ed30fef390d0bad
Opcode Fuzzy Hash: 0a0ca727a53163101e710f368362f7b49de6b94b60d1860159a5830ae6d7bc46
Instruction Fuzzy Hash: C48144B0A40B058FDB24DF6AC04575ABBF1BF88314F10892ED18AD7A60D775E84ACB90

Function 014358ED Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014359A9

Memory Dump Source

Source File: 00000000.00000002.1772730114.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_s2Jg1MAahY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bc510fbc07b3cd775dad63b4096577b0e7a9c7658e9ad1b35403d24a19412f58
Instruction ID: 90a0275815d3407e9652928171cfd8936e5798e84c3a59089b14b82dcdc29a55
Opcode Fuzzy Hash: bc510fbc07b3cd775dad63b4096577b0e7a9c7658e9ad1b35403d24a19412f58
Instruction Fuzzy Hash: 5B5100B1D00719CFDB24DFA9C88479EBBF5AF88314F20806AD108AB261D7756946CF91

Function 014344B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014359A9

Memory Dump Source

Source File: 00000000.00000002.1772730114.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_s2Jg1MAahY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 743dc9a82535b2a5c85c197091b350ed2e185e2f75d6f80bb5ff06b502bb6261
Instruction ID: d556661acdef8307391fe6f73580e65c7ac7b13274e27dc099d9e97d27bad4c5
Opcode Fuzzy Hash: 743dc9a82535b2a5c85c197091b350ed2e185e2f75d6f80bb5ff06b502bb6261
Instruction Fuzzy Hash: DD41F0B0C0071DCBDB24DFA9C884B9EBBF5BF88314F20806AD419AB251DB716946CF91

Function 07A5EC80 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A5ED10

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7ef139468b6ab3776966ade0c38daa2a442f1522873b5124a35971afc30161e2
Instruction ID: 397b029dc2d2498f53c7b73275a2acacebde83e35ede9d44230a9eb39af24349
Opcode Fuzzy Hash: 7ef139468b6ab3776966ade0c38daa2a442f1522873b5124a35971afc30161e2
Instruction Fuzzy Hash: 452139B1D003499FCB10DFA9C885BDEBBF5FF88310F108429E929A7240C7799954DBA4

Function 0143D23C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0143D616,?,?,?,?,?), ref: 0143D6D7

Memory Dump Source

Source File: 00000000.00000002.1772730114.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_s2Jg1MAahY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c77b4c494d1e8982a05163f81fc279b9b7b16192e9fe4a97d214977d5070e832
Instruction ID: 6eccb5b2e0d6cc321e2487dec9c59db61382af69364664ad0db5d69f41fb8330
Opcode Fuzzy Hash: c77b4c494d1e8982a05163f81fc279b9b7b16192e9fe4a97d214977d5070e832
Instruction Fuzzy Hash: 452103B5D002489FDB10CF9AD984ADEBBF8EB48320F10801AE928A3351D374A950DFA4

Function 07A5ED70 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A5EDF0

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 96a7f948e4596df443d53682db561291704ed83e5bcb4648f9bb50375ab21d48
Instruction ID: cbfb92e6d2124734fc5a6d9e8912e5161dbd71e0d183a7174153d1a7603c269b
Opcode Fuzzy Hash: 96a7f948e4596df443d53682db561291704ed83e5bcb4648f9bb50375ab21d48
Instruction Fuzzy Hash: 242128B1C003599FCB10DFAAC845ADEFBF5FF88310F108429E929A7240C7749944DBA4

Function 07A5EAE8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A5EB66

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c62a98e42b8924e2540cf0affba120a81024cb9f50f0f152a43a8e360e05b508
Instruction ID: 3c4641873eeb9d39ed16d780f53b061a9de59f8ba2e6d9ec993ca06fa8517530
Opcode Fuzzy Hash: c62a98e42b8924e2540cf0affba120a81024cb9f50f0f152a43a8e360e05b508
Instruction Fuzzy Hash: E62139B1D043098FDB10DFAAC4457EEBBF4EB88310F148429D519A7241C7789A44CFA4

Function 0143D648 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0143D616,?,?,?,?,?), ref: 0143D6D7

Memory Dump Source

Source File: 00000000.00000002.1772730114.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_s2Jg1MAahY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 06087c8c376b3e8a1caff180406ad15f6948bc96cc24c628067d127521dd1058
Instruction ID: 6fc9d345c91b617de0e27e699ee46add774cb6e45880603a0ed19b13a4301332
Opcode Fuzzy Hash: 06087c8c376b3e8a1caff180406ad15f6948bc96cc24c628067d127521dd1058
Instruction Fuzzy Hash: 0721E2B5D002099FDB10CFAAD985ADEBBF5FB48320F14841AE969B3350D378A944DF64

Function 07A52827 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07A527EB

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4a508622da63a68e6bb540792c4a67e4a7ca3397fc78d7a6bc3c9d7abd724d3f
Instruction ID: 139242ac05dd2490e1fa2fa85d63a6b6fff79aff794ef29d63bbdce227a355d5
Opcode Fuzzy Hash: 4a508622da63a68e6bb540792c4a67e4a7ca3397fc78d7a6bc3c9d7abd724d3f
Instruction Fuzzy Hash: 6D113AF6900209AFDB10DF99C8447DEBBF0BB54320F108159E96897290D3359655DB61

Function 07A52770 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07A527EB

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f648dc34127a23f8e217ec339117639fce783fc0ae4481a632e68d5c87d38391
Instruction ID: dc86f221133438c7eaf713b7ea100b764a8feef14e7b42ab9cf2de8e34347e1c
Opcode Fuzzy Hash: f648dc34127a23f8e217ec339117639fce783fc0ae4481a632e68d5c87d38391
Instruction Fuzzy Hash: 1D21C7B59002499FDB10DF9AC584BDEFBF4FB48310F10846AE868A7251D774A644CFA5

Function 07A52778 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07A527EB

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cdaae5c33be89311e97a8e270941f21e5e546cf0e8a45870369d14011c84a743
Instruction ID: 3ca5c020807fd37f9c10f322a6722cd020b5009ef105c82b3e6a0d4a6680756d
Opcode Fuzzy Hash: cdaae5c33be89311e97a8e270941f21e5e546cf0e8a45870369d14011c84a743
Instruction Fuzzy Hash: D821E4B59002499FCB10DF9AC985BDEFBF4FB48320F108429E968A7251D378A644CFA5

Function 07A5EBC0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A5EC2E

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 304525f627566ba0781fa4548498ebbb38934df5dc8a69ef89f8e514a37500cf
Instruction ID: b2e88626a71a4dff4d85510f2586bd739172e6b8949cd74669812d0907a36e3c
Opcode Fuzzy Hash: 304525f627566ba0781fa4548498ebbb38934df5dc8a69ef89f8e514a37500cf
Instruction Fuzzy Hash: 381167B18003499FCB10DFAAC845ADFBFF5EF88320F208819E529A7250C775A940CFA0

Function 07A5EA38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07A5EA9A

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e6a441fd29339373320911bd9b21bdb8f721cf869cca2d4882e86a04b6d5ff74
Instruction ID: 4048fb4a8f0123243b5a7d302b410f49832ee911f2490b7ed330ae01b34e32f5
Opcode Fuzzy Hash: e6a441fd29339373320911bd9b21bdb8f721cf869cca2d4882e86a04b6d5ff74
Instruction Fuzzy Hash: 831136B1D043498FDB24DFAAC4457DEFBF5EB88324F208819D529A7240CB75A944CBA4

Function 0143AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0143AFBE

Memory Dump Source

Source File: 00000000.00000002.1772730114.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_s2Jg1MAahY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c7dc2537df40bea031f128fe46344ec46b2b7b176590c461f09ac99ef0658bab
Instruction ID: 9377b5e0e6086bd51ac87782d3cdf853bcb99f7e5787d35da571018a7e54a979
Opcode Fuzzy Hash: c7dc2537df40bea031f128fe46344ec46b2b7b176590c461f09ac99ef0658bab
Instruction Fuzzy Hash: 281110B5C003498FDB14CF9AC444ADEFBF4EB88324F20841AD469A7650C379A545CFA1

Function 0ED52131 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0ED52195

Memory Dump Source

Source File: 00000000.00000002.1784016502.000000000ED50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ED50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed50000_s2Jg1MAahY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a16cb467d9b52e8e6667832c9194e2b35592b2c4fd80f9f4250f8fbde0b9857d
Instruction ID: c5ac5fff3bbb8dcf02be931ef0f90578fc1750da2b81c7c0f0ac876b3af514c3
Opcode Fuzzy Hash: a16cb467d9b52e8e6667832c9194e2b35592b2c4fd80f9f4250f8fbde0b9857d
Instruction Fuzzy Hash: AB1103B58003489FDB10DF9AC949BDEBBF8FB48320F10881AE918A7350C375A944CFA1

Function 0ED52138 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0ED52195

Memory Dump Source

Source File: 00000000.00000002.1784016502.000000000ED50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ED50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed50000_s2Jg1MAahY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e007eb97ab635b3251c98d375136feb3ed64d664b1d9091b0d54928fbb253788
Instruction ID: c355fc474992b494462f748ddf90c7dd9fe97d5e5e81f5117a00fefb8ca6747e
Opcode Fuzzy Hash: e007eb97ab635b3251c98d375136feb3ed64d664b1d9091b0d54928fbb253788
Instruction Fuzzy Hash: 0D11D0B58003499FDB10DF9AC989BDEBBF8EB48320F10845AE918A7350C375A944CFA5

Function 0119D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772043101.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6258f7f35b9caf66dca640499a6a64578e6b38822ca6dcb05e29976b43e7aae
Instruction ID: 2d72cdc98fa30ed87184012abe90959ffa08c13409e26f51caaff813454c7daf
Opcode Fuzzy Hash: c6258f7f35b9caf66dca640499a6a64578e6b38822ca6dcb05e29976b43e7aae
Instruction Fuzzy Hash: 6A216AB1504200DFDF09DF48E9C0B66BF65FB94324F20C56CD90A0B646C336E416C7A2

Function 011AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772108970.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be04e34e87ed125c21786a7fb821b4b10cd9d2816f3402c5505fa15fb954023
Instruction ID: 461612445a92c6a11800a291085dfcf3a53f1d6cf0fa157dcda0e87b35505e97
Opcode Fuzzy Hash: 7be04e34e87ed125c21786a7fb821b4b10cd9d2816f3402c5505fa15fb954023
Instruction Fuzzy Hash: 382103B9644600DFCF19DF58EA84B26BFA5EB84314F60C56DD80A4B642C336D407CA62

Function 011AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772108970.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff0a729a2153b9065f95e4dbd5ee6d40f06ef6b771e25b6c20fde36dd36593c
Instruction ID: 366759620ef6c9370a9be48041ba776dce13687f93805816e4ba7fb2f7192d7c
Opcode Fuzzy Hash: fff0a729a2153b9065f95e4dbd5ee6d40f06ef6b771e25b6c20fde36dd36593c
Instruction Fuzzy Hash: 4C21F879504600DFDF09DF54E5C4B25BFA5FB84324F64C56EE90A4B652C336D406CA62

Function 011AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772108970.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932b6e8c6673761e49740e92c504f44d8da5ba85834942bf9bda8d36623f0cc7
Instruction ID: 7e9739ec4400d7d9e1d63a107bfe86ec450226539bf51a76a4045e1823679af8
Opcode Fuzzy Hash: 932b6e8c6673761e49740e92c504f44d8da5ba85834942bf9bda8d36623f0cc7
Instruction Fuzzy Hash: 1021C2755487809FCB07CF24D994711BF71EF46214F28C5DAD8498F6A7C33A980ACB62

Function 0119D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772043101.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: b9eb282852be4df01a7203ae96d43a8168476512aece635478c43fac137911ac
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 4611DC76504280CFDF06CF44E9C4B56BF72FB84324F24C2A9D9090B656C33AE45ACBA2

Function 011AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772108970.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: d1a6f0f05f832c89d60ae782c29f2eca78bb6509d5cdd6c481282ad8e880c0d7
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 3711BB79904680DFDB06CF54D5C4B15BFB2FB84224F24C6AED8494B6A6C33AD40ACB62

Non-executed Functions

Function 07A55030 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

{#L, xrefs: 07A55208

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: ccb9690bf895613cdd753dc27c836c498cebcfd68c981a79bfc791b625901dc3
Instruction ID: 7bf856685043981813485a0e47af8a8224eced460dd0a5455b18d0c55117b29b
Opcode Fuzzy Hash: ccb9690bf895613cdd753dc27c836c498cebcfd68c981a79bfc791b625901dc3
Instruction Fuzzy Hash: DDD108B1E15219DFCB18CFAAD58059EFBF2BF89310F14D52AD425AB228E7349942CF50

Function 07A55021 Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

{#L, xrefs: 07A55208

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: 4270e63a234110ae76ef26c480fad8a258aeab2436b31105e07271d0d3347ce9
Instruction ID: ac459e584de4e833d5bd26aa704c3d2c0015cb709fbf9c6aebf123e5b98aaba8
Opcode Fuzzy Hash: 4270e63a234110ae76ef26c480fad8a258aeab2436b31105e07271d0d3347ce9
Instruction Fuzzy Hash: 70D1F8B1E15219DFCB18CFAAD58059DFBF2BF89310F14D52AD425AB228E7349942CF50

Function 07A53140 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

iUfo, xrefs: 07A53266

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 7fe180686c6ecdb5947114cf0314ce35d14525b23f8ac1f92ce8054c19484baf
Instruction ID: 6b223d359ca63bbf3c8fbe9f274d53333cbecd610fe53b0f991e130dc69f7ca2
Opcode Fuzzy Hash: 7fe180686c6ecdb5947114cf0314ce35d14525b23f8ac1f92ce8054c19484baf
Instruction Fuzzy Hash: 2A5115B4E11219DFCF08CFAAD8455EEFBB2BF89300F10942AE815A7354EB345A418B64

Function 07A53150 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

iUfo, xrefs: 07A53266

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 464241df48a93e9ea94caae7f708cc81f8d233a183a4461b85f0bf8094897ccc
Instruction ID: c1a2eaff0f9fd5a0282139c8af3d1337c57c46d80b36b07286a2923b24834220
Opcode Fuzzy Hash: 464241df48a93e9ea94caae7f708cc81f8d233a183a4461b85f0bf8094897ccc
Instruction Fuzzy Hash: B051F1B4E11219DFCF18CFAAD8495AEFBB2BF89304F10942AE815B7354EB3459418B64

Function 07A53548 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

w7e^, xrefs: 07A5367D

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: f4d5c89861067adedee9c78b3349971093a11cf33850e02d11efecc8a700029a
Instruction ID: 50945076acf62ed853507e361b0e81db7210338108f91008db4f58d536331739
Opcode Fuzzy Hash: f4d5c89861067adedee9c78b3349971093a11cf33850e02d11efecc8a700029a
Instruction Fuzzy Hash: E44124B1D14219DFCF04CFAAC8445EEFBB1BB8A340F14A52AC826B7244D7384642CF69

Function 07A5353A Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

w7e^, xrefs: 07A5367D

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 876bd899ccf3e6f9ecc1f0e9ca3e1c37222ff5b1c00987aa78f9c0711f0eb8d7
Instruction ID: d0a42ad50c8f91b458a9addea1170fc49cc0a5216a2356aa562c620c8eac9900
Opcode Fuzzy Hash: 876bd899ccf3e6f9ecc1f0e9ca3e1c37222ff5b1c00987aa78f9c0711f0eb8d7
Instruction Fuzzy Hash: 2E4156B1D1420AEFCF04CFAAC8441EEFBB1BB8A340F14952AC826B7254D3384646CF59

Function 07A50023 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

0ni, xrefs: 07A501AB

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: 170e7c6cfc576407fff6df80172f225b6c5ca9670e4ec580aaec0a12b8a9ce52
Instruction ID: 92fa77665b9d59fc5aae67f457e37ab92d59e1b1c8ae628660b9e1c80ce60671
Opcode Fuzzy Hash: 170e7c6cfc576407fff6df80172f225b6c5ca9670e4ec580aaec0a12b8a9ce52
Instruction Fuzzy Hash: FC517DB1E056588FDB58CF6B8D4579AFBF3AFC9300F14C1EA980CA6265DB341A858F11

Function 07A50040 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

0ni, xrefs: 07A501AB

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: dc2a8a52b992983b7bc639e48de8c683ddab90811eab9375828702cf0ef202f2
Instruction ID: 3b3e523da9d539455a99530c5da7e6a9d294e6123d4a4c26814005171156b82e
Opcode Fuzzy Hash: dc2a8a52b992983b7bc639e48de8c683ddab90811eab9375828702cf0ef202f2
Instruction Fuzzy Hash: AB514CB1E156188BDB68CF6B8D4579EFBF3AFC8300F14C1BA990CA6254DB301A858F51

Function 07A5C730 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab57f46bc2184cde9d78525f2442426b85b422850a2322ba55ac0482c919ab64
Instruction ID: 63cf7838ae7e273ba2d2a6ec9720c1667bb0e8106a391fe03a32809bb4b4022b
Opcode Fuzzy Hash: ab57f46bc2184cde9d78525f2442426b85b422850a2322ba55ac0482c919ab64
Instruction Fuzzy Hash: 33E10EB4E1021A8FCB14DF99C5849AEFBB2FF89315F248169D815AB359D730AD41CF60

Function 07A5C2F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63710918b016513c67945cdfd01d91ad0eaf5ba3b4c2176cdfa636cb0f8647c8
Instruction ID: 6f3ebc43f6a0049c72746d3495b66695571c4f585f47b4cbc2659342fc08ab0c
Opcode Fuzzy Hash: 63710918b016513c67945cdfd01d91ad0eaf5ba3b4c2176cdfa636cb0f8647c8
Instruction Fuzzy Hash: 04E12EB4E0021A8FCB14DFA9C5849AEFBF2FF89315F248169D815AB359D730A941CF61

Function 07A5E210 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1808f45896d0e69010751ffe7005c148d12663423533879cb9698b82d853d63c
Instruction ID: aa1d9d175d785cbd69f8fe8b614a523a58a2ba5b59e2e9e5d712703a490d6ec7
Opcode Fuzzy Hash: 1808f45896d0e69010751ffe7005c148d12663423533879cb9698b82d853d63c
Instruction Fuzzy Hash: 55E12CB4E141198FCB14DFA9C5809AEFBF2FF89305F248269E815AB355D730A942CF61

Function 07A5BEC0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be1d762a6506f94c28fbda87196d8d0ca3e3f241e51e9c62d3ab102ec0b3f5b
Instruction ID: eadec63f7f0dbe05b844ac3893668a14734d5cfe4edae36b74f57146efd63da5
Opcode Fuzzy Hash: 1be1d762a6506f94c28fbda87196d8d0ca3e3f241e51e9c62d3ab102ec0b3f5b
Instruction Fuzzy Hash: 68E11EB4E102198FCB14DF99C5809AEFBB2FF89315F248269D815AB359D731AD42CF60

Function 07A5DDD8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0f51efd744d627e2c24a7949bccf880d4ac9807cd7f3b4cec12cd51e53451
Instruction ID: c088b50381977b1c3deb6e893f69a2e4e6ebfa5be89e9c0a64f77368666224e3
Opcode Fuzzy Hash: 05e0f51efd744d627e2c24a7949bccf880d4ac9807cd7f3b4cec12cd51e53451
Instruction Fuzzy Hash: BFE10DB4E141198FCB14DFA9C5849AEFBF2FF89305F248169E815AB359D730A942CF60

Function 0143D57C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1772730114.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb1071914c7d6dfbddf021fec1441430b098f950e9af2e66246afd9253cd468
Instruction ID: 66a9c3d3abfec0887ca06a8359dee515408567fd59654a194c4253fba64c1aa8
Opcode Fuzzy Hash: 4eb1071914c7d6dfbddf021fec1441430b098f950e9af2e66246afd9253cd468
Instruction Fuzzy Hash: 0BA17032E002168FCF19DFB5D94059EBBB2FFD9300B15856AE905AB275DB71D90ACB40

Function 07A53908 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc49751ab2d7527adf1df9b460198c89c21a3d45e64c89a9ec81146332345a15
Instruction ID: 5978fe53b975b9d2be499e402adaef021a45795cb67242246ccfd70aa5251f97
Opcode Fuzzy Hash: fc49751ab2d7527adf1df9b460198c89c21a3d45e64c89a9ec81146332345a15
Instruction Fuzzy Hash: 8A81F9B4E101698FCB54DF6AC5805AEFBB6FF89305F24C2A9D818A7315D7309A41CF61

Function 07A538F8 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab1d5793a0b9e1f45a1a99f4809660944a31bb8fd6c6aa1c4b996886297b94e
Instruction ID: c55c910b5a44594ef3d443720c5c0db511cfd18d910294a95b42118eff9adad2
Opcode Fuzzy Hash: eab1d5793a0b9e1f45a1a99f4809660944a31bb8fd6c6aa1c4b996886297b94e
Instruction Fuzzy Hash: 5C8109B4E102698FCB54DF6AC5805AEFBB2FF89305F24D1A9D818A7315D7309A41CF61

Function 07A52E10 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e1e8064c8dcd82ca15d002950e6174a4fb37609ba5986d1b1b3b3ace39be38
Instruction ID: a8bc4be70dd8cdd0bf5fff18589ef574493e0c3d39fb21b167b322e1c8bd90a9
Opcode Fuzzy Hash: b6e1e8064c8dcd82ca15d002950e6174a4fb37609ba5986d1b1b3b3ace39be38
Instruction Fuzzy Hash: B1412EB0E1520ADFCB44CFA6D5416AEFFF2BF99300F20946AC415B7264E37457458B94

Function 07A52E02 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782159523.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a50000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e29fb41358975fa5830aa401dfb143d09428ecf884c695f689e8e78e594747
Instruction ID: 5daaaaa3dc328064c8a0e406baa06d47b3dd7954c9806ea144450429125b3d47
Opcode Fuzzy Hash: 09e29fb41358975fa5830aa401dfb143d09428ecf884c695f689e8e78e594747
Instruction Fuzzy Hash: 9A415EB0E1530ADFCB04CFA5C5416AEFFF2BF99200F24946AC415B72A4D37446058B95

Analysis Process: s2Jg1MAahY.exePID: 7948, Parent PID: 7516COMMON

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	130
Total number of Limit Nodes:	14

Executed Functions

Function 06DB3578 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06DB3CA7
$^q, xrefs: 06DB3C4E
$^q, xrefs: 06DB3C9B
$^q, xrefs: 06DB3C77
$^q, xrefs: 06DB3C83
$^q, xrefs: 06DB3C5A

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: d15161629552a23da957bd62f5fb5e6cd5434b8e431a54b9fd3f5118c8effb11
Instruction ID: 04296ae28989513abe7d685f2429c0510721e8ef4ce8941acf10d7b366b45a65
Opcode Fuzzy Hash: d15161629552a23da957bd62f5fb5e6cd5434b8e431a54b9fd3f5118c8effb11
Instruction Fuzzy Hash: DE322D31E1071ACFCB15DF78D85459DB7B6FF89300F1196A9D40AAB224EF30A985CB91

Function 06DB7E90 Relevance: 3.0, Strings: 2, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06DB8437
$^q, xrefs: 06DB842B

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 910ceba9dc763b9602c51858af58ea2f6677d56c0eedd663d5095badd7c24228
Instruction ID: b8d51b900c2d07ec64a8bf40fd7aed0dc643cb25d39abc1e7a050564b311bec9
Opcode Fuzzy Hash: 910ceba9dc763b9602c51858af58ea2f6677d56c0eedd663d5095badd7c24228
Instruction Fuzzy Hash: 5C027D30B00216DFDB54DB68D8946AEB7E6FF88304F148569D41ADB398DB35EC82CB91

Function 06DB56A8 Relevance: 1.8, Strings: 1, Instructions: 594COMMON

Download Yara Rule

Strings

$, xrefs: 06DB59FB

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 43ed4e8b213875aedf00e5ccd31959060a7a8f69c819d1ce4f1ea208dde364eb
Instruction ID: 463a6d033e6e7d90ffde08e1616866108d3e1e53ef32ee119a26baf3e88d8a98
Opcode Fuzzy Hash: 43ed4e8b213875aedf00e5ccd31959060a7a8f69c819d1ce4f1ea208dde364eb
Instruction Fuzzy Hash: 1A22CF35F00215CFDF65DFA4E4846EEBBB2EB85310F20856AD44AAB348DA35DC42CB91

Function 06DB2749 Relevance: 1.0, Instructions: 1050COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa48647c82c2a5a9afe4183f312640534cfd4e69489a2f2ddc7eb685dc0966c3
Instruction ID: 6f729c69b1a1d5046359b1fa1b01693ac659cc5c9e49bde20c12529ae001a51c
Opcode Fuzzy Hash: aa48647c82c2a5a9afe4183f312640534cfd4e69489a2f2ddc7eb685dc0966c3
Instruction Fuzzy Hash: 97A22534A00208CFDB64CB68C584BADB7F2FB49314F5594A9D44AAB369DB35ED81CF81

Function 06DB6700 Relevance: .8, Instructions: 822COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e88d93ce13f6ae89ecb401097a2ec3a8d71ea706d29ec9ef01dcafef1fb66a
Instruction ID: bb9dfd57a79ac5beecdd4e4fef98f06b7ff960460e01ffe45b4e60913340bf58
Opcode Fuzzy Hash: 61e88d93ce13f6ae89ecb401097a2ec3a8d71ea706d29ec9ef01dcafef1fb66a
Instruction Fuzzy Hash: 51629D34B00215CFDB54DB68D594AAEB7F2EF88314F149469E40AEB398DB35EC42CB91

Function 06DBADE0 Relevance: 10.4, Strings: 8, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06DBAF54
$^q, xrefs: 06DBAF01
$^q, xrefs: 06DBAF0D
$^q, xrefs: 06DBAF60
$^q, xrefs: 06DBAFB8
$^q, xrefs: 06DBAF8F
$^q, xrefs: 06DBAF83
$^q, xrefs: 06DBAFAC

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 6be29144996874630792b6d804656b30ae3d4db2b02f2ed373760d6c58d67c89
Instruction ID: 8407f6fb5356386c79c3fd6b564611b198a6288bfe8d3c4c57c79d1a58eafc3c
Opcode Fuzzy Hash: 6be29144996874630792b6d804656b30ae3d4db2b02f2ed373760d6c58d67c89
Instruction Fuzzy Hash: 62E16F70F10219CBCB65DF69D4846AEB7F2FB89301F14892AE40ADB348DB74D8468B91

Function 06DA9C81 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06DA9D0E
GetCurrentThread.KERNEL32 ref: 06DA9D4B
GetCurrentProcess.KERNEL32 ref: 06DA9D88
GetCurrentThreadId.KERNEL32 ref: 06DA9DE1

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 628bbdb455458e9698f121b1e7515b337b0cd48b89c24d0ec1891426f6d30e5a
Instruction ID: fa1ef92967c58390d2ee9feb5490afa16e5375e06194b6206214f32ad07d628c
Opcode Fuzzy Hash: 628bbdb455458e9698f121b1e7515b337b0cd48b89c24d0ec1891426f6d30e5a
Instruction Fuzzy Hash: 155176B09103498FDB54DFAAD948B9EBFF1EF88311F248459E409AB360D7345984CF65

Function 06DA9C90 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06DA9D0E
GetCurrentThread.KERNEL32 ref: 06DA9D4B
GetCurrentProcess.KERNEL32 ref: 06DA9D88
GetCurrentThreadId.KERNEL32 ref: 06DA9DE1

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1c698a747e03080a5ad30add54b50d702fb5f04cd4e3c23b3e07c20515c18e42
Instruction ID: d6c06116dd8f0d4aaf97f93d1253337872a27201b487a733a2a650e14a54e544
Opcode Fuzzy Hash: 1c698a747e03080a5ad30add54b50d702fb5f04cd4e3c23b3e07c20515c18e42
Instruction Fuzzy Hash: 2B5157B09103498FDB54DFAAD948B9EBFF1EF88314F248459E409AB360DB345984CF65

Function 06DB9260 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06DB92D0
$^q, xrefs: 06DB9317
$^q, xrefs: 06DB92DC
$^q, xrefs: 06DB930B

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 30967061e1088c8c4d1046d85dff7ea7d88079c90654a4818049304013737301
Instruction ID: 72943468943561e115ece745ece5071cbc999e0f7d77165415b68ac47a83a1e3
Opcode Fuzzy Hash: 30967061e1088c8c4d1046d85dff7ea7d88079c90654a4818049304013737301
Instruction Fuzzy Hash: CE914030B0021A9FDB54DB69D8607AEB7F6EBC9304F108569C50EEB348EA74DC42CB95

Function 06DBD068 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06DBD467
$^q, xrefs: 06DBD473
$^q, xrefs: 06DBD45F

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 286fc76f7f9d1a496d4a50665e4ca3882c519c38df90fae5b21b22005c84b13a
Instruction ID: 6bd8f51699fb081d0b8a6343191c64e4f9adf231392c5239795646d7c2362496
Opcode Fuzzy Hash: 286fc76f7f9d1a496d4a50665e4ca3882c519c38df90fae5b21b22005c84b13a
Instruction Fuzzy Hash: DC624C70B00316CFCB15DB68E584A9DBBF2FF84305B249969D40A9F258DB75EC86CB81

Function 06DB4C78 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06DB4CA3
XPcq, xrefs: 06DB4DC9
\Ocq, xrefs: 06DB4E53

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 8ec4d1ea2329bbae5525e88cdfc07bccb6f59eab8b34976668c1038ece91523c
Instruction ID: 26f8b66d941f91dcbcaf337975ec1e97ae9752bef2dbdf9959c86b780f98d14b
Opcode Fuzzy Hash: 8ec4d1ea2329bbae5525e88cdfc07bccb6f59eab8b34976668c1038ece91523c
Instruction Fuzzy Hash: B1619230F002199FEB55DFA9C4547AEBBF6FB88700F20842AD106EB399DB758C458B91

Function 06DB9253 Relevance: 2.7, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06DB92D0
$^q, xrefs: 06DB930B

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 40475b9d471257956ff338ccce29dc7f742cbd8b3f03333ce12ae0fbd60cf8ea
Instruction ID: d9324e5b0928aa15566b08197e125ae21bf9a8eb3621c90cb6a80ff0f7b38cb6
Opcode Fuzzy Hash: 40475b9d471257956ff338ccce29dc7f742cbd8b3f03333ce12ae0fbd60cf8ea
Instruction Fuzzy Hash: 69518230B002059FDB54DB79E9A0BAEB3F6EBC9714F108569C50ADB348EA74DC42CB95

Function 06DB4C69 Relevance: 2.6, Strings: 2, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06DB4CA3
XPcq, xrefs: 06DB4DC9

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: aa8c6efcd8a65079bc0497ceed5340ca8411addea3a3c568cf37dbc0a849276e
Instruction ID: 2afa1dc344c65f06a72ad1bd29ff3a0a68548bec4a226ef3146c0f937304e92b
Opcode Fuzzy Hash: aa8c6efcd8a65079bc0497ceed5340ca8411addea3a3c568cf37dbc0a849276e
Instruction Fuzzy Hash: 36517170B002099FDB55DFA9C8547AEBBF7FF88700F20852AD145EB395DA758C058B91

Function 018EEE90 Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2974653019.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18e0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d83f790620b007d6ecdd03ce59f437aa185cc16ac374c47b362b35bba2b661
Instruction ID: 76ba86601de8831930643fbe3607ea0da85d7b0633791619288dae88135fee77
Opcode Fuzzy Hash: 98d83f790620b007d6ecdd03ce59f437aa185cc16ac374c47b362b35bba2b661
Instruction Fuzzy Hash: 3D414472E043968FCB14CF79D80429ABFF0AF8A310F1585AAE548E7241DB349945CBD1

Function 06DA5FD3 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06DA60EA

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9c22b66200edcd902aff5cb680e143931f3ac4cd6e472d7644aef9a14126eb8e
Instruction ID: e0dc284db488dedc6ceb1362c6dad62fd83051c0ea8b74ddde9ffeaa80dbe1c8
Opcode Fuzzy Hash: 9c22b66200edcd902aff5cb680e143931f3ac4cd6e472d7644aef9a14126eb8e
Instruction Fuzzy Hash: 5451AEB1D10349EFDB14CF9AC884ADEBBB5FF48310F24812AE419AB210D7759985CF95

Function 06DA5FD8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06DA60EA

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 52236cf3621ddb5f6d9aff35a24d3ada64c43d682c2adb99c8e7be0bd9341b8c
Instruction ID: 4eb12a9db5a747b4e4f9cdd362a63533a62299ec5b5034a62cb8b5f43bfe05f2
Opcode Fuzzy Hash: 52236cf3621ddb5f6d9aff35a24d3ada64c43d682c2adb99c8e7be0bd9341b8c
Instruction Fuzzy Hash: B441AEB1D10349EFDB14CFAAC884ADEBBB5BF48310F24812AE419AB210D7759985CF95

Function 06DA9AB4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06DAAE29

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 0deaeca761fbf6f46a8d426e2a5be4f98183a0f4197377f811f5b74b1a391bad
Instruction ID: a9ea91eb14c253764648b06a5a79eafb0a2660ea385e79de427ebd5ac42650ea
Opcode Fuzzy Hash: 0deaeca761fbf6f46a8d426e2a5be4f98183a0f4197377f811f5b74b1a391bad
Instruction Fuzzy Hash: F5415AB4A10349CFCB54CF89C888AAABBF5FF88314F28C559D519A7321D730A940CFA0

Function 06DABAB0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06DABB38

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 3e48889ccede5b814687084f5739a2f85d51f82a0be44d478bb29cf86eef2ef6
Instruction ID: cdd7b4641b195d8bc238bc2ea623ae28d2d0882ced3077df6505a41ac6f7f9dd
Opcode Fuzzy Hash: 3e48889ccede5b814687084f5739a2f85d51f82a0be44d478bb29cf86eef2ef6
Instruction Fuzzy Hash: 9A311FB0D01308EFDB10CF99C984BCEBBF5AF48304F20801AE505AB394CBB5A946CB65

Function 06DABAB2 Relevance: 1.6, APIs: 1, Instructions: 70comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06DABB38

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 2084aaffc1a53713a6c9f2731116443d2a66af5f53bdb5db03a0ab5d2b56998f
Instruction ID: 2129718cdf381205293a1b304312dfc0db538b4f5f7c6cd85c9e97aec96fc8b3
Opcode Fuzzy Hash: 2084aaffc1a53713a6c9f2731116443d2a66af5f53bdb5db03a0ab5d2b56998f
Instruction Fuzzy Hash: 6C31FFB0D01348EFDB14CF99C984BDEBBF1AF48304F24811AE505AB294CBB5A946CB65

Function 06DA9ED0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06DA9F5F

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 13c2e942887797e85c36fe46b046e3cebadcc2b2486c4afbfb2b8c9167611b88
Instruction ID: d34902c09a79bf67ddf7221f31959f7153f49c2d01466ee47b4ab3a01633d63c
Opcode Fuzzy Hash: 13c2e942887797e85c36fe46b046e3cebadcc2b2486c4afbfb2b8c9167611b88
Instruction Fuzzy Hash: D321E3B5900348AFDB10CFAAD984ADEBFF9EB48310F14801AE958A7350D374A954DFA5

Function 06DA9ED8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06DA9F5F

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d5ee37642f2d86b55bcd8a886546e2740b93deb905b34ec35b845624dcda5af2
Instruction ID: b83f525ad5fa3b95840944d38abdd7f451306781b52f95dde230574693f37d58
Opcode Fuzzy Hash: d5ee37642f2d86b55bcd8a886546e2740b93deb905b34ec35b845624dcda5af2
Instruction Fuzzy Hash: 9121E4B5900348AFDB10CFAAD884ADEBFF8EB48310F14801AE918A7350D374A944CF64

Function 018E8038 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 018E80B0

Memory Dump Source

Source File: 00000008.00000002.2974653019.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18e0000_s2Jg1MAahY.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1952705fc4db7c8fc559a5229377fb3fe76e6072c14fb28558a39e65b1f6cd13
Instruction ID: ebb5eff8bfca96698a50cb94035d3b9be521111065a1b6e45536b96a476e8f2b
Opcode Fuzzy Hash: 1952705fc4db7c8fc559a5229377fb3fe76e6072c14fb28558a39e65b1f6cd13
Instruction Fuzzy Hash: 2F2147B1C006199FCB14CFAAD4446DEFBF4FB49320F11811AD918A7340D774AA44CFA5

Function 06DAD5E8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06DAD66B

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 520f2641ba16cf19caae1040f078618225b715c47d31f3d20ea4a2b04fed2248
Instruction ID: dc5339c983c8ce48adf7be8bdc6273f410d56872b4be01b08ed3b808f375bd2e
Opcode Fuzzy Hash: 520f2641ba16cf19caae1040f078618225b715c47d31f3d20ea4a2b04fed2248
Instruction Fuzzy Hash: 1F21F0B5D042099FCB14DF9AC844BEEBBF5BB88310F14842AE429A7390C775A944CFA5

Function 06DAD5F0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06DAD66B

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: f8aacdcee418ad76564b0ddd1e0e65478c2246769cb2b7710bfa91daa3d8dfc8
Instruction ID: 24b9c587b4dc78c9be0c9592f2657c6a4a5b64ae6e7004b5aca33a4896a952c6
Opcode Fuzzy Hash: f8aacdcee418ad76564b0ddd1e0e65478c2246769cb2b7710bfa91daa3d8dfc8
Instruction Fuzzy Hash: FD2113B1D042099FCB14DF9AC844BEEFBF5AF88310F14842AD419A7390C774A944CFA5

Function 018E8040 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 018E80B0

Memory Dump Source

Source File: 00000008.00000002.2974653019.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18e0000_s2Jg1MAahY.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 7544d92093fe54e17100391337bad70196471091ddaa973451d60c5907a20e7d
Instruction ID: 6a774d2a011256beeb9b207fe8b9d01480ff913a7ec3f3f3107adcc70e0c30e9
Opcode Fuzzy Hash: 7544d92093fe54e17100391337bad70196471091ddaa973451d60c5907a20e7d
Instruction Fuzzy Hash: 291133B1C0065A9FCB14CF9AC444A9EFBF4FB49320F15812AD928A7340D778AA44CFA5

Function 06DAB098 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06DAB075), ref: 06DAB0FF

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: bf74ab5e13561ada4ece4badca230df4cdec59a0d5348c493f04212cf902c5dc
Instruction ID: 2a153e968c67570ba79df4a31a96b8031bae78664f488f01a6f6608d8038adf7
Opcode Fuzzy Hash: bf74ab5e13561ada4ece4badca230df4cdec59a0d5348c493f04212cf902c5dc
Instruction Fuzzy Hash: E01176B08003088FCB20CF9AD945BDEBBF8EB48324F20801AE518A3240C375A944CFA5

Function 018EEF78 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 018EEFDF

Memory Dump Source

Source File: 00000008.00000002.2974653019.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18e0000_s2Jg1MAahY.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 5043d1769f192ea00a697d076fe975cd5e97882407e0575452a15f0d7eddeb8e
Instruction ID: b2fc84fe4e4eb80ee7a756c4091537629603c0c377691a7416badeae1c6f01ec
Opcode Fuzzy Hash: 5043d1769f192ea00a697d076fe975cd5e97882407e0575452a15f0d7eddeb8e
Instruction Fuzzy Hash: 7211F3B1C006599BDB10DF9AC448BDEFBF4FF48320F15816AE918A7241D778AA44CFA5

Function 06DAB3AF Relevance: 1.6, APIs: 1, Instructions: 50comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06DAB9BD

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 971e07f5539616a9b6e4dac084423633489c034354997405b758186aba53548e
Instruction ID: 5cbcceece60807a48653b9b40bb338691d7c8720fa6c83c062c7aff7cf08f9a3
Opcode Fuzzy Hash: 971e07f5539616a9b6e4dac084423633489c034354997405b758186aba53548e
Instruction Fuzzy Hash: 0F1133B58043488FDB20DF9AD945BDEBBF8EB48320F20841AD559A7310D779A944CFA6

Function 06DA3864 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06DA4F96

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 40a979be834bf97e2a4d2239b9ad0ee00f43b2ff4c70ac0d8de587580ead8e14
Instruction ID: d6926a0b0ad2f1876627b78a78d690cb160979feed48124c7d657359beb4543b
Opcode Fuzzy Hash: 40a979be834bf97e2a4d2239b9ad0ee00f43b2ff4c70ac0d8de587580ead8e14
Instruction Fuzzy Hash: 14113FB5C043488FCB10DF9AD844ADEFBF4EB88220F11842ED829B7210C3B9A544CFA0

Function 06DA4F2F Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06DA4F96

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 76a2b969bed7db7e0615223c95886f56ef2eebd91b825d5d67e8d2263a89648b
Instruction ID: 1500f0fd0b354d5c5dae845241cdae3114213499da367bc487403a64b377ed45
Opcode Fuzzy Hash: 76a2b969bed7db7e0615223c95886f56ef2eebd91b825d5d67e8d2263a89648b
Instruction Fuzzy Hash: 521110B5C003498FCB10DF9AD844ADEFBF4EB88320F11842AD429B7250C3B9A545CFA1

Function 06DAB961 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06DAB9BD

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 186ec71c409542aea01b821e2e12356a57a8d2130215081eeec65741ba6248d2
Instruction ID: 39b27eff25bfd7432778860a36ed006dffcbba3fbfb05f78287fe242aaafa006
Opcode Fuzzy Hash: 186ec71c409542aea01b821e2e12356a57a8d2130215081eeec65741ba6248d2
Instruction Fuzzy Hash: D81103B58043488FCB10DF9AD548BCEBFF8EB48320F24845AD558A7310C375A544CFA5

Function 06DAB3B8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06DAB9BD

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1d8d3476d1605773d78ba2b59a4e050ef1bbce3a6565ea9bd9946233c5e57865
Instruction ID: 9fbac94a73df9366a55b939767ce5403209ce890f6a6302e47b29bc11a415440
Opcode Fuzzy Hash: 1d8d3476d1605773d78ba2b59a4e050ef1bbce3a6565ea9bd9946233c5e57865
Instruction Fuzzy Hash: 5A1142B18043488FCB20DF9AD588BDEBBF8EB48320F20841AD518B3300C378A944CFA5

Function 06DA9B0C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06DAB075), ref: 06DAB0FF

Memory Dump Source

Source File: 00000008.00000002.3022901948.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6da0000_s2Jg1MAahY.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 3862a5e3832d5b8654ea6f4797be57fa9ce3d1525374a881c926ab24b6171d20
Instruction ID: f0d2438d718db6b557b3db74c40ffd1b826415c3d12fe6f08e807b5ea6ec945e
Opcode Fuzzy Hash: 3862a5e3832d5b8654ea6f4797be57fa9ce3d1525374a881c926ab24b6171d20
Instruction Fuzzy Hash: 8A1133B08043488FCB20DF9AD848BDEBBF4EB48324F20841AD519A3340C775A944CFA4

Function 06DBDBDD Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06DBDD39

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: e6749b72e53c3973ee3806f5affb3e3443bb36d5806a26087de5c7411b160588
Instruction ID: fa1eda9b898007734f206aac437d972625f193f84428535b36a179c398d1494b
Opcode Fuzzy Hash: e6749b72e53c3973ee3806f5affb3e3443bb36d5806a26087de5c7411b160588
Instruction Fuzzy Hash: 2741BF70E00319DFDB61DFA5D8546AEBBB3BF89300F204529E406EB284EB70D946CB91

Function 06DB21D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06DB230B

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: bfa66b14b5be82550e50287411014965728a578eabef933460afe4d3244b2b33
Instruction ID: eebef9ddf4b765ac9ca86e3e8bad61b3699a45ba36f5661509bdd06ee937fe39
Opcode Fuzzy Hash: bfa66b14b5be82550e50287411014965728a578eabef933460afe4d3244b2b33
Instruction Fuzzy Hash: AE31EF31B00205CFDB6A9B78C4586BF7AE2AF89301F20442DD406DB388DE35DE46C7A1

Function 06DB83E0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 06DB842B

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: b7ca3e6cf4089a03304d655857d585d75325dfe7762dba0817c2865fcd63c6d5
Instruction ID: b4812fdf085517b08f3bc97311c28adfd2cc732473ae71c05d4e81a0efea55e2
Opcode Fuzzy Hash: b7ca3e6cf4089a03304d655857d585d75325dfe7762dba0817c2865fcd63c6d5
Instruction Fuzzy Hash: F9F0DC31B00226DFDF648F98E9846E873AEEB48310F15546AC807CB248CA35D906DB92

Function 06DB4B61 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06DB4B6D

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: a37ac2e0febd593cbb0fc35dcd1669890a032a1315013ae0fcb5cf074f7bdb32
Instruction ID: 6af4f9b355f90c28894e52717867aad8236ad6c640370c6f7abc788d70934302
Opcode Fuzzy Hash: a37ac2e0febd593cbb0fc35dcd1669890a032a1315013ae0fcb5cf074f7bdb32
Instruction Fuzzy Hash: D1F0DA30A10129EBDB14DF94E899BAEBBB2FF88701F214119E502A7399CB745C45CB80

Function 06DBC2A8 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ee7c117d176d88502da0f840f5490f091efb074c846a3a9c72c94c6944cd15
Instruction ID: ca1828cc55c35377696af49d550f869d5a5bd3b8d926dfcbaa2e43cc4e5c59ad
Opcode Fuzzy Hash: 27ee7c117d176d88502da0f840f5490f091efb074c846a3a9c72c94c6944cd15
Instruction Fuzzy Hash: B5327174B20215DFDB54DB68E484AADBBF2FB88310F109529E40ADB355DB35EC42CB91

Function 06DBB3DF Relevance: .6, Instructions: 562COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4700f5b43bc41c9ce5a551c68d0306f09c394d4345f324822ae4392b8035c31c
Instruction ID: 0eada17df13f3d551af1eeea888699fc1adcfecc300887dea5580c0146057728
Opcode Fuzzy Hash: 4700f5b43bc41c9ce5a551c68d0306f09c394d4345f324822ae4392b8035c31c
Instruction Fuzzy Hash: 46222D74E10209CFDF64CB68D494BEDB7A1EB49310F24946AE44ADB399DE34DC81CB51

Function 06DB6300 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e82e2c016c222cb922bb6e19f832f5f29219c91ce63c5cc3febc7a964887fb6
Instruction ID: 6eec05b57ddfcc84c9f33f4098cda2178d5761ca66b28f007dda3c45339aad72
Opcode Fuzzy Hash: 7e82e2c016c222cb922bb6e19f832f5f29219c91ce63c5cc3febc7a964887fb6
Instruction Fuzzy Hash: 7D61C171F001218FCB509B7EC8846AFBAD7AFD5620B29443AD80EDB364DE65DD0287D6

Function 06DB43B1 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e542eab43567222120b7bd61daf1ff931807e10085e1290611aa27cb5e21faad
Instruction ID: fc85b4ef8406d5fb71a1a7a7b40558632688114406712d0313b610b5c7a4b43b
Opcode Fuzzy Hash: e542eab43567222120b7bd61daf1ff931807e10085e1290611aa27cb5e21faad
Instruction Fuzzy Hash: 41813E30B002069FDF54DFA9D4546AEB7F6AF89304F118429D40ADB399DF74DC828B92

Function 06DB46CC Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d387eb2bf526b2d54dfa0f2f40f4055e68638db48219b9bb6d7a191ed40587
Instruction ID: 12dd437a0dbcd829497faf8a71471e14fc0294dafee6dabbb170da9dacfe1628
Opcode Fuzzy Hash: 56d387eb2bf526b2d54dfa0f2f40f4055e68638db48219b9bb6d7a191ed40587
Instruction Fuzzy Hash: C5913D34E102198BDF60DF68C890BDDB7B1FF89310F208699D549BB359DB70AA85CB91

Function 06DB46E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e099f537b103b3596a0421a80fe7dd6b0db703d3af8151d8dcc5237df739885
Instruction ID: 3aa7c20f94251d0a43f08ac6b51f2355e800ab24a94837d619fdbc658121a21a
Opcode Fuzzy Hash: 9e099f537b103b3596a0421a80fe7dd6b0db703d3af8151d8dcc5237df739885
Instruction Fuzzy Hash: AB912D34E102198BDF60DF68C880BDDB7B1FF89310F208599D549AB259DB70AA85CF91

Function 06DBF031 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58edf0e32351d112c117cb6084a4dbd427b9a3632eb14414f26ae01dd9e9273
Instruction ID: 024936e1795800dbe95e31fae526aed6c116375bb50524f81822206508192c16
Opcode Fuzzy Hash: e58edf0e32351d112c117cb6084a4dbd427b9a3632eb14414f26ae01dd9e9273
Instruction Fuzzy Hash: C8713A70A00209DFDB54DFA9D984A9DBBF6FF84300F249529D40AEB268DB30ED46CB51

Function 06DBF040 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0320943ce68f8e1e99de1608b2bc57610f74aa69a020204e968da489a9c2708
Instruction ID: dab3a026836368f7f9e93a73e9ab3e943910b0954a6f3800244dcd3a9f6439df
Opcode Fuzzy Hash: a0320943ce68f8e1e99de1608b2bc57610f74aa69a020204e968da489a9c2708
Instruction Fuzzy Hash: 04711A70A002099FDB54DFA9D984A9DBBF6FF84300F149469D40AEB358DB30ED46CB51

Function 06DBFCC1 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0da425d96aefd38053fb2ba07bbe1fcc7a683ee2730b3e3bb3c8f130004a5e
Instruction ID: cba7116b3a7d29388b13f2f9a41d9cbf6cd4b7b89698ab6184e7ccf04acfd5af
Opcode Fuzzy Hash: 5a0da425d96aefd38053fb2ba07bbe1fcc7a683ee2730b3e3bb3c8f130004a5e
Instruction Fuzzy Hash: 8E51E531E00105DFDF64EF78E8486EDB7B2FB88315F10886AE11AD7299DB358999C781

Function 06DBFA70 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad7af9b472802a131a57592f29222933ce728303deaaf095d5d42389cb1676f
Instruction ID: 4f1d3c40be10991c7c076d977a8cc53599cdeeb99fbec207fec8e8411f3efe18
Opcode Fuzzy Hash: cad7af9b472802a131a57592f29222933ce728303deaaf095d5d42389cb1676f
Instruction Fuzzy Hash: 3A516170B20214DBEF64577CDC987AF269AD789351F20542AE50FC7398CA3DCC8557A2

Function 06DBFA80 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8736b01b8e7b74f4e47618a5cfd0f36d3f1f05d55ddc2865a3f682a263eb3332
Instruction ID: 48c6aba5dcc83f67087b9f61776cddab98d4132600a233c454f9022f4d79ed85
Opcode Fuzzy Hash: 8736b01b8e7b74f4e47618a5cfd0f36d3f1f05d55ddc2865a3f682a263eb3332
Instruction Fuzzy Hash: 935180B0B20214DBEF645B6CDC98B6F269AD789311F20542AE50FC7398CE3CCC859792

Function 06DB5521 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca7508ba680b282c84c5ad24b120d55b874a074fe79a3712329013a9a605a25
Instruction ID: 8df9cf3503b73720eff0b4ab6114dd072bbe888449fe54849d76337689d09fa4
Opcode Fuzzy Hash: bca7508ba680b282c84c5ad24b120d55b874a074fe79a3712329013a9a605a25
Instruction Fuzzy Hash: A4416971E00609CFDB60CFA9E880ABFFBF2EB95310F10492AE156D7654D334A9598B91

Function 06DBDA90 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142589b831745e2571a586d00592d29cb3004f2f3c6a10bf0ebdbc311c60e907
Instruction ID: 7baaebaeaefb67410769b7cedebca9f5acb20a97910d6a5bfcca970739f60045
Opcode Fuzzy Hash: 142589b831745e2571a586d00592d29cb3004f2f3c6a10bf0ebdbc311c60e907
Instruction Fuzzy Hash: 4F31B470E1031ADFDF15DF69D480ADEBBF6FF85300F144929E406AB244DB71A8468B81

Function 06DB2081 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d18d19c1005cddf4c0abc78823a0d9e6a956eeca3716f95ce323db0a1a4e9a2
Instruction ID: ea5ea51ecee6b3c83b3caf5a884bdbb36b86aa47ca0e59e197576be8fab9ffa4
Opcode Fuzzy Hash: 3d18d19c1005cddf4c0abc78823a0d9e6a956eeca3716f95ce323db0a1a4e9a2
Instruction Fuzzy Hash: 5F319C31E10216DBCB15CF69D8546AEB7F2FF89300F148519E906EB344DB31AD46CB50

Function 06DB2090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db73b7b12a6c6857f445f936c5b8d396c0f01d6c67449c36b6de198a0382ab46
Instruction ID: 6abf81475881eb55195cfd7febe050d691a17cc4435e51b00b91ae8c44327fcf
Opcode Fuzzy Hash: db73b7b12a6c6857f445f936c5b8d396c0f01d6c67449c36b6de198a0382ab46
Instruction Fuzzy Hash: 14319A31E1021ADBCB59CFA5D8946AEB7F2FF89300F148529E906E7344DB31AD82CB50

Function 06DB3FB9 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0b987011ef4b8a1f9a365cdc31bf0b5ca07b71dabd013fa7b0d55a6a508c4a
Instruction ID: f07c725c9c02124b896c4f2c5bbbac3657bd9fdb38a484fbd00f27e9345bced1
Opcode Fuzzy Hash: af0b987011ef4b8a1f9a365cdc31bf0b5ca07b71dabd013fa7b0d55a6a508c4a
Instruction Fuzzy Hash: 89217831F002169FDB50CF69E840AEEBBF5EB48710F108429E945E7289EA35D9058BD2

Function 06DB3FC8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145f10118f1c3cfe4d710c2d46e34c76bce6e8fea90292572632a801bf06c03
Instruction ID: 608d330961ef70d98598ad1cb73f605933bc275ab30c57f4251f830e60d579e9
Opcode Fuzzy Hash: 9145f10118f1c3cfe4d710c2d46e34c76bce6e8fea90292572632a801bf06c03
Instruction Fuzzy Hash: F8217A71F002169FDB50CF69E980AEEBBF5EB48710F118025E906E7349EB35D9018B96

Function 014FD1F8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2970348654.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14fd000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf7b331e415123a7085b2a30d075986c0dcd81635051bb7898c8178f0d3d5a4
Instruction ID: 3afae1eb84f17fa1fae109c3444d14069c666a452908bf9943a68ad945410364
Opcode Fuzzy Hash: 0cf7b331e415123a7085b2a30d075986c0dcd81635051bb7898c8178f0d3d5a4
Instruction Fuzzy Hash: 5D213BB9904200DFDB11DF98D9C4B26BB65FB84334F24C56EDA090B356C336D406C6E2

Function 014FD3A8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2970348654.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14fd000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d602fabb690ab907c10d4ed0a64b5cbbfd4d04ce3393129c68d1cb00193bebcb
Instruction ID: 72e3677fa2c4c33614a37c77a9041e1408317bbae9afc882d7c84f6f1b5ea853
Opcode Fuzzy Hash: d602fabb690ab907c10d4ed0a64b5cbbfd4d04ce3393129c68d1cb00193bebcb
Instruction Fuzzy Hash: E52107B5A04204DFDB05DF58D5C4B26BBA5FB84314F24C57EDA0A4B366C336E846CB61

Function 014FD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2970348654.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14fd000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 561c2ae9b493dbde5a7e7baf6d01e820908395b7fd1b0328590b9df7da9a27f9
Instruction ID: f9e55882dcf265b9fa491de43623c73f16c225f4db29ec3467bb20c8ff9fde86
Opcode Fuzzy Hash: 561c2ae9b493dbde5a7e7baf6d01e820908395b7fd1b0328590b9df7da9a27f9
Instruction Fuzzy Hash: 6A2107B1A04204DFDB15DF58D9C4B26BBA5FB84318F24C56EDA0A4B3A2C736D447CB61

Function 014FD118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2970348654.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14fd000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11659f44f7beb0f7bff67488668267087fd64ab76bc155044e13a0c247e9ba28
Instruction ID: 832a5dbe3b682083a515e1263e0aa01a8a2c1fd57fe5223c46ba8e48c3b4640d
Opcode Fuzzy Hash: 11659f44f7beb0f7bff67488668267087fd64ab76bc155044e13a0c247e9ba28
Instruction Fuzzy Hash: B221D4B1A04344DFDB05DF58DAC4B26BFA5FB84314F24C66EDA0A4B366C336D846C661

Function 06DBA418 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98384a1426d90125a8e59fb2c6af2d94700f29d8d7bce413b1fc07bcc67a31f7
Instruction ID: 99998165fb3892fc262cac7731aa1645b134c6ab5a82f8a34133f820ede2343a
Opcode Fuzzy Hash: 98384a1426d90125a8e59fb2c6af2d94700f29d8d7bce413b1fc07bcc67a31f7
Instruction Fuzzy Hash: 89110670B101245FCB61876CEC447EA77D6EB8A634F184579E60FC7394DA26DC0283D1

Function 014FD006 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2970348654.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14fd000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc76bf9f051783196b7294a1ccc4221e87500953fef6144ffcb0bb603aa6def5
Instruction ID: d541c629c3b8af860422d20a70035a0a1a37c163ca7ab2cd989d67247cb02e5c
Opcode Fuzzy Hash: fc76bf9f051783196b7294a1ccc4221e87500953fef6144ffcb0bb603aa6def5
Instruction Fuzzy Hash: 1F216B755093C08FDB03CF64C994715BF71AF46214F29C5EBD9898F2A3C23A980ACB62

Function 06DB4310 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43400006b9dbf111e74be4e1347859b60ea890379dcf2caf41b25381f119eb61
Instruction ID: 8ed17aa14eb2cac2c067fa4bf76ff8d0ca8bbe4b5a03f122d8412bf7c8799413
Opcode Fuzzy Hash: 43400006b9dbf111e74be4e1347859b60ea890379dcf2caf41b25381f119eb61
Instruction Fuzzy Hash: 991149307042115FDB61D63DA80075FBBEBDBCA210F28882DE14BC739ADA24CC024392

Function 06DB40D8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5816c0747059084859e635e1e23d0d94da9d7ee4b23aa75e4a14799f5e6143
Instruction ID: 194a344d10991cda869f583e1079dc322e4c3dfcd9cdc8e11796287e26f8b9c4
Opcode Fuzzy Hash: 0f5816c0747059084859e635e1e23d0d94da9d7ee4b23aa75e4a14799f5e6143
Instruction Fuzzy Hash: A7117C31F001259BDB94D668D814AEE73EAABC8210B044039C50AE7348DA65DC028BD1

Function 06DBF2B0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d04b70696301cbf508ee2d0fecedae21383651757909d53f1b09574b8ca530
Instruction ID: 378e7c1433bd2433c5ac94639ffb46bcd7505cc9e114e1b2211988f1bf33f709
Opcode Fuzzy Hash: f4d04b70696301cbf508ee2d0fecedae21383651757909d53f1b09574b8ca530
Instruction Fuzzy Hash: 06012435B002105FCB66977DA8547BE7BDADBCA620F14482AE00BCB344DA25DD434796

Function 06DB3D91 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abb8f132418f92d78a3f48635d29aeadb473f9485e57e3085186268b644e984
Instruction ID: b07e8f21477153d4e65605a17ab93d01e8f123bc0a1e4d557ae1c8b056ac0e2c
Opcode Fuzzy Hash: 5abb8f132418f92d78a3f48635d29aeadb473f9485e57e3085186268b644e984
Instruction Fuzzy Hash: E921C4B5D01259AFCB00DF9AD885ADEFBF5FB48310F10812AE518A7340C7746954CFA5

Function 06DB40C9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2cc5a0d1ce42c05ef20d45f545adc166e4f71e5ca931641117dab3e57c921e
Instruction ID: e1a29ac47f9eeeeed2c8c9212a6ddb7099429ea4acff528872417f89a56633f3
Opcode Fuzzy Hash: ce2cc5a0d1ce42c05ef20d45f545adc166e4f71e5ca931641117dab3e57c921e
Instruction Fuzzy Hash: 3801D431F10126ABEB94D669DC14AEF73EFDBC8250F04403AD50AD7249DE608C0247D2

Function 014FD1F3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2970348654.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14fd000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
Instruction ID: 1f9b624b66580ad99dcca5612cf83ca78360a90ad38570246e7aac398ee91222
Opcode Fuzzy Hash: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
Instruction Fuzzy Hash: B0119D7A904280CFDB12CF54D5C4B16BB71FB84324F25C6AED9494B756C33AD40ACBA2

Function 014FD3A3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2970348654.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14fd000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 3ca3c149666fa58ebeb0caab96aac9aa3c00b23b960f1ffb9767403ff2b22218
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 0A11BE75904240CFDB02CF54D5C4B16BB62FB84314F24C6AEDA494B3A6C33AE44ACB52

Function 014FD113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2970348654.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14fd000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bba1b886c7af03120d174dc7deae98a13e2b30171c5fb19a59aa5d286d4f618
Instruction ID: 8194eaeb093cd6d11bc35eecf3c101b93cd3c755845b041645543d4972dacc32
Opcode Fuzzy Hash: 2bba1b886c7af03120d174dc7deae98a13e2b30171c5fb19a59aa5d286d4f618
Instruction Fuzzy Hash: CB118E75904284CFDB06CF54D6C4B16BF72FB44214F24C6AED9494B766C33AD44ACB51

Function 06DB3D98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1941b1041c881c0e65c0389ea76617a4772a1e9102799257285caf782707d0c
Instruction ID: 3805cd433536267683c451ea9a8cfa01117ac50c15c6517b8279d116ecedefb6
Opcode Fuzzy Hash: f1941b1041c881c0e65c0389ea76617a4772a1e9102799257285caf782707d0c
Instruction Fuzzy Hash: 2911AFB5D01259AFCB00DF9AD885ADEFBB4FB48310F11822AE918A7340C375A954CFA5

Function 06DB4320 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e504348855b9cd86541551e8e32ccee379df96c1963f113eaaea908504a41a6
Instruction ID: 5cc68f275150391e9d0fa7578a61e2eee9170c50400df3ade914a8642a804b02
Opcode Fuzzy Hash: 7e504348855b9cd86541551e8e32ccee379df96c1963f113eaaea908504a41a6
Instruction Fuzzy Hash: 9801AD30B001215BDB64D66DA41476FA3DBEBC9620F28883DE20FC7349DE25DC020385

Function 06DBF2C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d89cc8ac5378e69e086d68ab41168cdc3855a031525ae267d2acbb4e6726164
Instruction ID: 41ba7f03b5b8f3a2be75ef4cb36196b2b0ed5113b26fab8d4bc764e640b451f1
Opcode Fuzzy Hash: 1d89cc8ac5378e69e086d68ab41168cdc3855a031525ae267d2acbb4e6726164
Instruction Fuzzy Hash: 3101D134B101105BCB64D76DA850B7E63DADBC9620F108829E10BC7348DE25DC434386

Function 06DBA428 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39badc5a4c9eff49b47ebb79df3557a6de0b387497c145d36e93e68385864120
Instruction ID: f799c241ce53841cf1203cfdcfe342f2cda2d3d16774f1e6acd46688fa2b57c7
Opcode Fuzzy Hash: 39badc5a4c9eff49b47ebb79df3557a6de0b387497c145d36e93e68385864120
Instruction Fuzzy Hash: 77018170B101255FCB60DA7DE85876A73DAEB8D724F148838E10FC7358EE25EC428781

Function 06DB6580 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af02700bb1c0db7a94c4c134d03ab5f86d2e233b8b73be2004bcc6bd44905af
Instruction ID: 4e736d65cf7b0d3cac23265d03f374ead7c3e04584562a368d299e8913cb4151
Opcode Fuzzy Hash: 4af02700bb1c0db7a94c4c134d03ab5f86d2e233b8b73be2004bcc6bd44905af
Instruction Fuzzy Hash: CDE02230E09288ABDB20CF7089056EA7BE89702200F2048A6E806CB24EE032DE1147A6

Non-executed Functions

Function 06DB77B0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06DB78DD
$^q, xrefs: 06DB78AC
$^q, xrefs: 06DB7C5D
$^q, xrefs: 06DB78D1
$^q, xrefs: 06DB7D1E
$^q, xrefs: 06DB7D08
$^q, xrefs: 06DB7C69
$^q, xrefs: 06DB7D12
$^q, xrefs: 06DB78A0
$^q, xrefs: 06DB7CFC

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: a57e974eed0a7878221f7f5505dcf07e6c47bf3e9c940685e3991eaf0ad58e94
Instruction ID: a31d3a552d4bd68b77d3fdca7b07486a74c6daa57028f44ccf25e19b2ec9f92f
Opcode Fuzzy Hash: a57e974eed0a7878221f7f5505dcf07e6c47bf3e9c940685e3991eaf0ad58e94
Instruction Fuzzy Hash: 7B12FB30E00219CFDB68DF69D854AADB7F2BFC9305F209969D40AAB358DB309D45CB91

Function 06DBAA48 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06DBAC06
$^q, xrefs: 06DBABA5
$^q, xrefs: 06DBAB99
$^q, xrefs: 06DBAB3E
$^q, xrefs: 06DBABD0
$^q, xrefs: 06DBABFA
$^q, xrefs: 06DBAB4A
$^q, xrefs: 06DBABC4

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 653b8fc943f2ab8d7cc6a2a76d27ca6f087137d33e07d6afa55481ead68786a4
Instruction ID: 8ef4a5463cd0c7cbe62e9e132fe05d2e3f45835b1a3e381bf72df64e7675db38
Opcode Fuzzy Hash: 653b8fc943f2ab8d7cc6a2a76d27ca6f087137d33e07d6afa55481ead68786a4
Instruction Fuzzy Hash: C5918E70E00209DFDB68DF69E548BAE7BF2EF84301F189429E4029B298DB749D45CB91

Function 06DB71B0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06DB764C
$^q, xrefs: 06DB7492
$^q, xrefs: 06DB76B8
$^q, xrefs: 06DB76C4
$^q, xrefs: 06DB74F8
$^q, xrefs: 06DB74EC
.5vq, xrefs: 06DB720B

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: bb90539463a6872c53ca70c6c3f122e84596af811d03c0eff091cfa71f218de5
Instruction ID: 28f7be07ba850bf00d09c028c56211025f851fe1cdf0dec89bafcbf45ce13b41
Opcode Fuzzy Hash: bb90539463a6872c53ca70c6c3f122e84596af811d03c0eff091cfa71f218de5
Instruction Fuzzy Hash: CEF13C34B00209CFDB55DB68D498AAEB7F6FF84301F248969D4069B398DB75ED42CB81

Function 06DBBB28 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$^q, xrefs: 06DBBD29
$^q, xrefs: 06DBBD35
$^q, xrefs: 06DBBCCD
$^q, xrefs: 06DBBCF5
$^q, xrefs: 06DBBCC1
$^q, xrefs: 06DBBD01

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 705acd59011ca2337e47cb8cc1c6f5c2034f07b318f2b645a5b923a0cc0e29a5
Instruction ID: 6c049016cd14df348d6c4e39097d98ad4bdaad929ae2dbc00c4406d16f19dfec
Opcode Fuzzy Hash: 705acd59011ca2337e47cb8cc1c6f5c2034f07b318f2b645a5b923a0cc0e29a5
Instruction Fuzzy Hash: 23718B30E00219CFDB69CFA9E454AADB7F2FF84700B10996AD4079B258DF74D946CB81

Function 06DB84E8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06DB87B3
$^q, xrefs: 06DB874E
$^q, xrefs: 06DB8742
$^q, xrefs: 06DB87A7

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 2b0d9d377ceea3b5d461b43663b475af2da712c1466ba2663b016df2f05f5274
Instruction ID: 6d13a8855f79bb74efe60ffc0749936dded3ae134c867b1720e7785903ebd499
Opcode Fuzzy Hash: 2b0d9d377ceea3b5d461b43663b475af2da712c1466ba2663b016df2f05f5274
Instruction Fuzzy Hash: 96B12830F00219CBDB58DF69D9846AEB7F6EF84301F248829D40A9B358DB74DC82CB91

Function 06DB8900 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06DB897F
LR^q, xrefs: 06DB89F3
$^q, xrefs: 06DB898B
LR^q, xrefs: 06DB8A42

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 800ae89705c78aef3cdf71e2886ff937cec1f2709dabff2662b17dde8c1aad10
Instruction ID: 921794ff83e789ec5056c689c32fcabccc5db09f3e3656d95d5990ac4859c923
Opcode Fuzzy Hash: 800ae89705c78aef3cdf71e2886ff937cec1f2709dabff2662b17dde8c1aad10
Instruction Fuzzy Hash: A551A330B00205DFDF58DF28D854AAAB7FAFB89711F149569D4069B398DB70EC41CB91

Function 06DBADD3 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$^q, xrefs: 06DBAF54
$^q, xrefs: 06DBAF01
$^q, xrefs: 06DBAF83
$^q, xrefs: 06DBAFAC

Memory Dump Source

Source File: 00000008.00000002.3023265501.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6db0000_s2Jg1MAahY.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 7a95d7accedc7061b6ccdf64d2bda37f934405b49f5857478753d7f55cc0d454
Instruction ID: 0583d4b9a499725d40c511873470c716c2b826c1d4785567d02fe815fa50b11a
Opcode Fuzzy Hash: 7a95d7accedc7061b6ccdf64d2bda37f934405b49f5857478753d7f55cc0d454
Instruction Fuzzy Hash: 27516970F10205CFDB65DB68E5846EEB7F2EB89301F28992AE406DB248DB35DC41CB91

Analysis Process: GedTanqRR.exePID: 8088, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	135
Total number of Limit Nodes:	8

Executed Functions

Function 0180CFF1 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0180D07E
GetCurrentThread.KERNEL32 ref: 0180D0BB
GetCurrentProcess.KERNEL32 ref: 0180D0F8
GetCurrentThreadId.KERNEL32 ref: 0180D151

Memory Dump Source

Source File: 00000009.00000002.1851309213.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1800000_GedTanqRR.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a1ff4c3f79f50a5e75cd8b5749486349a6ee9d43803adcc34989f2a8872fce16
Instruction ID: ed14d95a4a31724f945843fb61c2dbbbe1b2ed8fd95d60c6a1392cd38c92459a
Opcode Fuzzy Hash: a1ff4c3f79f50a5e75cd8b5749486349a6ee9d43803adcc34989f2a8872fce16
Instruction Fuzzy Hash: 785168B09007098FDB18DFA9D988BDEBBF1EF48314F208459D509A73A0C7355A88CF65

Function 0180D000 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0180D07E
GetCurrentThread.KERNEL32 ref: 0180D0BB
GetCurrentProcess.KERNEL32 ref: 0180D0F8
GetCurrentThreadId.KERNEL32 ref: 0180D151

Memory Dump Source

Source File: 00000009.00000002.1851309213.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1800000_GedTanqRR.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6d2666ce8e363d6c807406a0dd41a7396035ef2c83aa41aecc45bcc04592cc60
Instruction ID: 15c5e286e9b9de239611824ab08d655fb38773bc14bb0be9bade6a4f509b5a9b
Opcode Fuzzy Hash: 6d2666ce8e363d6c807406a0dd41a7396035ef2c83aa41aecc45bcc04592cc60
Instruction Fuzzy Hash: 4C5169B09007098FDB58DFA9C988B9EBBF1EF48314F208419D509A7390D7345A84CF65

Function 0B5EEF08 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0B5EF13E

Memory Dump Source

Source File: 00000009.00000002.1860046935.000000000B5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b5e0000_GedTanqRR.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3f58ae8d91640c12bc9f10daafc920497db35f77098f8eccec73ca545c427519
Instruction ID: a0e31c7583f2245a5e96766f8b027c549628fa67d5d900d8f4b157e4f97ad251
Opcode Fuzzy Hash: 3f58ae8d91640c12bc9f10daafc920497db35f77098f8eccec73ca545c427519
Instruction Fuzzy Hash: B1918F71D003198FEB18DF68CC417EEBBB2BF44310F1485A9E819A7280DB759985CFA2

Function 0180AD68 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0180AFBE

Memory Dump Source

Source File: 00000009.00000002.1851309213.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1800000_GedTanqRR.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c7f692cc3847b5b4d13bee0b9079338ada770a7c7d2d4bb710aeb23a617894f3
Instruction ID: 6e9c7db11a87873d9a4ab210246d681b2bb1ecf0e2cb1c868f4d7c2ee03cced6
Opcode Fuzzy Hash: c7f692cc3847b5b4d13bee0b9079338ada770a7c7d2d4bb710aeb23a617894f3
Instruction Fuzzy Hash: 318169B0A00B098FD769DF29C44479ABBF1FF88304F00892ED44AD7A90D735EA49CB91

Function 018058ED Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018059A9

Memory Dump Source

Source File: 00000009.00000002.1851309213.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1800000_GedTanqRR.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6308ae62b7875658852b85cb609b4d2304510f33e5c02bf5c4eb1871f7ed056a
Instruction ID: 96e5cea0b1b2d8322524b33a95719dd130cccdc179e917a4221ab653a9cf90bb
Opcode Fuzzy Hash: 6308ae62b7875658852b85cb609b4d2304510f33e5c02bf5c4eb1871f7ed056a
Instruction Fuzzy Hash: 555101B1D00719CFDB24CFA9C88479EBBF5BF48314F20806AD509AB291D7756A85CFA1

Function 018044B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018059A9

Memory Dump Source

Source File: 00000009.00000002.1851309213.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1800000_GedTanqRR.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f59cab5e80a3cdf01cc3c3c3e90475947566483b3a2567e568baf3324697510c
Instruction ID: 0b3e5408d431064da3c2870dd3b980efd57cb6b88d04c66448dea43f6b372699
Opcode Fuzzy Hash: f59cab5e80a3cdf01cc3c3c3e90475947566483b3a2567e568baf3324697510c
Instruction Fuzzy Hash: 9541F5B0D0071DCBDB24DFA9C884BDDBBB5BF48304F20806AD509AB251DB756A45CF91

Function 0B5EEC80 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0B5EED10

Memory Dump Source

Source File: 00000009.00000002.1860046935.000000000B5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b5e0000_GedTanqRR.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e59232920d0a1fc81eef31072d706e747e0581ab0ec3fe1695f15f06eaf43a03
Instruction ID: ce5d9779a6543a7e7443e65be0a90680c0c00b7e285c5f7b63de9d5f9efbc833
Opcode Fuzzy Hash: e59232920d0a1fc81eef31072d706e747e0581ab0ec3fe1695f15f06eaf43a03
Instruction Fuzzy Hash: B0213BB19003099FDB14DFA9C885BDEBBF5FF48310F108429E959A7240C7759954DBA4

Function 0180D648 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0180D6D7

Memory Dump Source

Source File: 00000009.00000002.1851309213.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1800000_GedTanqRR.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4216bb6820cde2ced564cd35924f26589f4ed51ec5bda4ff2977596211e72637
Instruction ID: b9b3fe20fc9638d0a8d00bc9c9fd0ee9ac048c6620fab0d8e42a2383c4c59376
Opcode Fuzzy Hash: 4216bb6820cde2ced564cd35924f26589f4ed51ec5bda4ff2977596211e72637
Instruction Fuzzy Hash: E721E5B59003089FDB10CF9AD884ADEBBF5EB48314F14801AE958A7350D375AA44CFA5

Function 0B5EEAE8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0B5EEB66

Memory Dump Source

Source File: 00000009.00000002.1860046935.000000000B5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b5e0000_GedTanqRR.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: af4425f3bbac792ac99a876c6f4d95d7378a39ebee3d7473c8684f0383151ec8
Instruction ID: cd2af0da2e2d8820271203b2c4d395166e235515a27a66cf42c90636a5693aa7
Opcode Fuzzy Hash: af4425f3bbac792ac99a876c6f4d95d7378a39ebee3d7473c8684f0383151ec8
Instruction Fuzzy Hash: 0C2138B19003098FDB14DFAAC4857EEBBF4EF88324F14842AD559A7241CB78A944CFA4

Function 0B5EED70 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0B5EEDF0

Memory Dump Source

Source File: 00000009.00000002.1860046935.000000000B5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b5e0000_GedTanqRR.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 454b9ba7f351fca059a527c9d8664cacc96ebe8e6b8d68fd1ac5e2449ae20bdc
Instruction ID: 8778a3f65e4e09f87579edc76de0afeaaf523cf0fb355007637fb6ceb33dd6ad
Opcode Fuzzy Hash: 454b9ba7f351fca059a527c9d8664cacc96ebe8e6b8d68fd1ac5e2449ae20bdc
Instruction Fuzzy Hash: F62148B18003599FDB10DFAAC885ADEFBF5FF48310F10842AE519A7240C7749940DBA0

Function 0180D650 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0180D6D7

Memory Dump Source

Source File: 00000009.00000002.1851309213.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1800000_GedTanqRR.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0c36a861340e2d6c265dc7a7420e353d22652208a26bb5a5e670fbb4c1d4aa90
Instruction ID: 87108c857654f498e1f291b376e68dcb778293908b5f2732d7af3fadf0104d2a
Opcode Fuzzy Hash: 0c36a861340e2d6c265dc7a7420e353d22652208a26bb5a5e670fbb4c1d4aa90
Instruction Fuzzy Hash: DA21E4B59002089FDB10CF9AD884ADEBFF4EB48310F14801AE918A7350C375A944CFA4

Function 0B5E2778 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0B5E27EB

Memory Dump Source

Source File: 00000009.00000002.1860046935.000000000B5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b5e0000_GedTanqRR.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3bc2d251c7fdb8b0d38e3bbd92b6900acb3b8476ebf873bd90333708aeabd466
Instruction ID: dc912a203651a381108ff70331d38a2c50f24c6ac96be2fdc5deec7990dd72e4
Opcode Fuzzy Hash: 3bc2d251c7fdb8b0d38e3bbd92b6900acb3b8476ebf873bd90333708aeabd466
Instruction Fuzzy Hash: 5C21F9B59003499FDB14DF9AC884BDEFBF8FB48320F108469E968A7251D375A544CFA1

Function 0B5E2770 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0B5E27EB

Memory Dump Source

Source File: 00000009.00000002.1860046935.000000000B5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b5e0000_GedTanqRR.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b3af8c53069a5c3bd0887d138f2e828b539635083b29d0e376028ee38d9f59c6
Instruction ID: 068d494dbeafa0dfe94c42d3c82761b717b327d922c70bd2739b9953dc3eb9c0
Opcode Fuzzy Hash: b3af8c53069a5c3bd0887d138f2e828b539635083b29d0e376028ee38d9f59c6
Instruction Fuzzy Hash: 572117B59002499FDB10CF9AC984BDEFBF4FB48320F14846AE868A7351D379A544CFA1

Function 0B5EEBC0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0B5EEC2E

Memory Dump Source

Source File: 00000009.00000002.1860046935.000000000B5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b5e0000_GedTanqRR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0291b3f71eba716cf8b47cdd6e52afa564de37a87e9c939549a8db395cdd97b6
Instruction ID: dbf5e29fc016237cc310a69a1e1e0d5eb18e04880d8fb523714029cdac17feea
Opcode Fuzzy Hash: 0291b3f71eba716cf8b47cdd6e52afa564de37a87e9c939549a8db395cdd97b6
Instruction Fuzzy Hash: 631156718002088FDB14DFAAC845AEFBBF5EB88320F208419E529A7250C775A940CBA0

Function 0B5EEA38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0B5EEA9A

Memory Dump Source

Source File: 00000009.00000002.1860046935.000000000B5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b5e0000_GedTanqRR.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7a2964b95597ac76c3bf32cb50df8f5d186bcb9be6fd4325adf0b2f1540d4226
Instruction ID: 25114d90b79d1d883f17f91e12336cd8876b81d12f296f6a9c19973c374f9b57
Opcode Fuzzy Hash: 7a2964b95597ac76c3bf32cb50df8f5d186bcb9be6fd4325adf0b2f1540d4226
Instruction Fuzzy Hash: D6113AB19003498FDB14DFAAC4497DFFBF5EB88324F20845DD519A7240CB75A944CBA4

Function 0180AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0180AFBE

Memory Dump Source

Source File: 00000009.00000002.1851309213.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1800000_GedTanqRR.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c43fdc9cb8d4adee13bc8b9da4da9c17cedad6be8748ad61cede84a88c04a2fc
Instruction ID: 7ff4b2b5fbc18ecd286ecce99bda7459c98c716e66f36523078075bd21240ae4
Opcode Fuzzy Hash: c43fdc9cb8d4adee13bc8b9da4da9c17cedad6be8748ad61cede84a88c04a2fc
Instruction Fuzzy Hash: CE1110B5C003498FDB14CF9AC844ADEFBF4EB88324F10841AD929A7640C379A645CFA1

Function 076B14A3 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 076B1505

Memory Dump Source

Source File: 00000009.00000002.1857914391.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_76b0000_GedTanqRR.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6472e1faf75be79bf7b5def38555903a31142ddba4acbe57daf3cfc928c6d12c
Instruction ID: 6c4ee729a620703e963caac5f525fdcf5346643cc9dc6c182a022823931328d1
Opcode Fuzzy Hash: 6472e1faf75be79bf7b5def38555903a31142ddba4acbe57daf3cfc928c6d12c
Instruction Fuzzy Hash: CB1115B58003499FDB10DF9AC889BDEFBF8EB49324F10881AE559A7700C375A584CFA1

Function 076B14A8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 076B1505

Memory Dump Source

Source File: 00000009.00000002.1857914391.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_76b0000_GedTanqRR.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 057fd59092e045159bf4b791d5dda6ae1cf8096605b5107dc169b0e8b9bda877
Instruction ID: 52328f340eea373e551211c523231032848a0c567708ff82f6a8454518979965
Opcode Fuzzy Hash: 057fd59092e045159bf4b791d5dda6ae1cf8096605b5107dc169b0e8b9bda877
Instruction Fuzzy Hash: 3D11E5B58003499FDB10DF9AC889BDEFBF8EB49324F10841AD559A7640C375A584CFA1

Function 0142D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1849765445.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_142d000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37a6c69b976eebf8acb212a71d973a1922dd322e20cbda24b1979dd8459e14f
Instruction ID: 8827de365e60d04be3cc0741885ffc962865c659f04c58243f01c97f0440a64d
Opcode Fuzzy Hash: f37a6c69b976eebf8acb212a71d973a1922dd322e20cbda24b1979dd8459e14f
Instruction Fuzzy Hash: 092136B1904200DFDB05DF48C9C4B56BF65FB94324F60C57AD90A0B366C336E496CBA1

Function 0143D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1849870069.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_143d000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287548341fb2d0a919c8422ead4605d7bbceb2e09ceb344defa18b4e7e9d45b9
Instruction ID: 63a9b063b276e56b925394af2594b05c4b250c01b35d72165029b369e78460ad
Opcode Fuzzy Hash: 287548341fb2d0a919c8422ead4605d7bbceb2e09ceb344defa18b4e7e9d45b9
Instruction Fuzzy Hash: 7A210A71904200DFDB05DF54D9C4B16BBA5FBC8324F64C56ED9094B362C736D416CB61

Function 0143D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1849870069.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_143d000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eacb06ed20200fe11e6a5036c287152eed0fb825e473a374faabe8132560f6d
Instruction ID: dd57cfdbc490942f5bc1e628c2a7a336691794b68b60c49916c0003294f78112
Opcode Fuzzy Hash: 3eacb06ed20200fe11e6a5036c287152eed0fb825e473a374faabe8132560f6d
Instruction Fuzzy Hash: 7F21F1B1A042009FDB15DF58D884B16FBB5EB88718F60C56AD90A0B3A6C336D407CA61

Function 0143D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1849870069.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_143d000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb13c3e52122447216d17a5147202bfa0ba127562a85c2b19dc5eed169fb57cb
Instruction ID: 51a6de0c833c565cc67a5c8dcc6c7528feb13fc1d4ef23bce4dd1e19fb1adcd0
Opcode Fuzzy Hash: fb13c3e52122447216d17a5147202bfa0ba127562a85c2b19dc5eed169fb57cb
Instruction Fuzzy Hash: 8B2180755093808FDB03CF64D594716BF71EB86214F28C5DBD8498F2A7C33A980ACB62

Function 0142D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1849765445.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_142d000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: f1e092b82b2247e3761de23ef5ed0b791ea00c2e3b2ee964aae4a29b2d48f42b
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: BF11D276904240CFDB02CF44D9C4B56BF71FB84324F24C2AAD9090B266C33AD456CB91

Function 0143D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1849870069.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_143d000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: eb0203c7a4ea612dd80afdde67fb160c9741bfcd906e3906cf56276348a01c36
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 8711BB75904280DFDB02CF54C5C4B16BBB2FB88224F24C6AED8494B3A6C33AD40ACB61

Analysis Process: GedTanqRR.exePID: 7436, Parent PID: 8088COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	4

Executed Functions

Function 06A43578 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A43C83
$^q, xrefs: 06A43C9B
$^q, xrefs: 06A43C5A
$^q, xrefs: 06A43CA7
$^q, xrefs: 06A43C77
$^q, xrefs: 06A43C4E

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 6af58647da47af5fbc32c2de8a19e61aec331108527b07cd2fd1b1bf2cd3315a
Instruction ID: c3f6851cbcd7f1c3ceacb714d4fe5fb76840aae04935f08b7834f52cbd65c365
Opcode Fuzzy Hash: 6af58647da47af5fbc32c2de8a19e61aec331108527b07cd2fd1b1bf2cd3315a
Instruction Fuzzy Hash: F8322031E1071A8FCB54EF75C89459DB7B6FFC9300F61CAA9D409AB254EB30A985CB81

Function 06A47E90 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A48437
$^q, xrefs: 06A4842B

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 696da4222465269270144771d64c5d02312c1552e3a46e90d5ddb97238b6ba5e
Instruction ID: 8a16f65d71c11fe9d8de3ccf8471243f6b58e62323f27d567c25b746f7dba044
Opcode Fuzzy Hash: 696da4222465269270144771d64c5d02312c1552e3a46e90d5ddb97238b6ba5e
Instruction Fuzzy Hash: 37026B31B102158FDB58EB68E89066EB7E6FFC4304F148969D419DB384DB35EC82CB91

Function 06A456A8 Relevance: 1.8, Strings: 1, Instructions: 590
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 06A459FB

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 8f39fc0134e9da4f699de8d104b7a8f5bd02d199fc446c0a661ead6d6f6133a6
Instruction ID: 333f471b69bdaec73c7cef4d0d90350affdf1568dff5999ec1ac9c61d9b89e9a
Opcode Fuzzy Hash: 8f39fc0134e9da4f699de8d104b7a8f5bd02d199fc446c0a661ead6d6f6133a6
Instruction Fuzzy Hash: 3622BE71E002198FDF64EBA4C8846AEBBF2FF85324F208469D459AF345DA35DC46CB91

Function 06A42718 Relevance: 1.1, Instructions: 1058COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1f321d7e39b7113c884abfafb4fb8b9782a28c382d3b1247d09ad3df99d7d4
Instruction ID: b4dc7a0fa855f0d747a9e5ddf0860889dfd9ffe376e4f89633eea02cdde03c79
Opcode Fuzzy Hash: 2e1f321d7e39b7113c884abfafb4fb8b9782a28c382d3b1247d09ad3df99d7d4
Instruction Fuzzy Hash: 8FA20334A002088FDB64EB68C984B9DBBF2FB89314F5584A9E4499F361DB35ED85CF41

Function 06A46700 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfe7c163b8bb119766d0489ce1d40a8fa5362b91d4749e0d37cdc9e323489a5
Instruction ID: 9bda34ddae76ed93dbcaf1e0ff4e8728700475b1d5bec88fdd57dfbd2739672f
Opcode Fuzzy Hash: 4cfe7c163b8bb119766d0489ce1d40a8fa5362b91d4749e0d37cdc9e323489a5
Instruction Fuzzy Hash: CC628C35A102158FDB54FB68D990AAEB7F2EFC9314F248469E40ADB354DB35EC42CB90

Function 06A4ADE0 Relevance: 10.4, Strings: 8, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A4AF83
$^q, xrefs: 06A4AF54
$^q, xrefs: 06A4AF8F
$^q, xrefs: 06A4AF01
$^q, xrefs: 06A4AF0D
$^q, xrefs: 06A4AF60
$^q, xrefs: 06A4AFAC
$^q, xrefs: 06A4AFB8

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 77f49e02a96cdbb1c2697d678255c5c0259a06c04fcc2bc596173a517eeec4d4
Instruction ID: e75b5c516ddcfbd48169c6dea0ad075f398915ea5a6079fd6de2c81283bdfb76
Opcode Fuzzy Hash: 77f49e02a96cdbb1c2697d678255c5c0259a06c04fcc2bc596173a517eeec4d4
Instruction Fuzzy Hash: 83E15C71E102198FDB69FF69D8806AEB7B2FFC5305F108929E4199F348DB31D8468B91

Function 06A49260 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A49317
$^q, xrefs: 06A4930B
$^q, xrefs: 06A492DC
$^q, xrefs: 06A492D0

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 85960097e4273c3af88bd89d3cd9525b06379a2badc2f3a3236da8ad7b5f2731
Instruction ID: fc3b7b88e5b4efb1400983c4051fa9370e783d27ec35880cdb1d300d35c7088a
Opcode Fuzzy Hash: 85960097e4273c3af88bd89d3cd9525b06379a2badc2f3a3236da8ad7b5f2731
Instruction Fuzzy Hash: 02917E31B1021A8FDB54EF65D8507AFB7F6ABC9204F108569C41DEB384EE709D428B91

Function 06A4D068 Relevance: 4.5, Strings: 3, Instructions: 797
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A4D473
$^q, xrefs: 06A4D45F
$^q, xrefs: 06A4D467

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 08fa75c57389826ec45a6afaef6da79eb9549ecbbb36c5cbc7e683ec33aedbb2
Instruction ID: ca34d5d03254b55bd1d3d8a45e68deee7a9185c031a5513c42634a13931bbb4c
Opcode Fuzzy Hash: 08fa75c57389826ec45a6afaef6da79eb9549ecbbb36c5cbc7e683ec33aedbb2
Instruction Fuzzy Hash: CA623C31A102168FCB55FB68D990A5EB7F2FF84305B208A69D4499F359DB71FC86CB80

Function 06A44C78 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ocq, xrefs: 06A44E53
XPcq, xrefs: 06A44DC9
fcq, xrefs: 06A44CA3

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: e13c052844989f6cafb6c0a407ce683458963fe90496d05b9dfa7d2153f30d4e
Instruction ID: 81f0d52453cdd7fcee02e14b93524b8632be34b28d9488daf50598fa028e2a4c
Opcode Fuzzy Hash: e13c052844989f6cafb6c0a407ce683458963fe90496d05b9dfa7d2153f30d4e
Instruction Fuzzy Hash: BB618F31F102199FEB54AFA8C8557AEBBF6FBC8700F208429D109AB394DB758C458B91

Function 06A49252 Relevance: 2.7, Strings: 2, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A4930B
$^q, xrefs: 06A492D0

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 0489b156fc8f2f6a97f22f3a678d8263aaf064a23da4189fb821371456fd1ad9
Instruction ID: 656a2b4e5307ce777b7647ebf40486114a17ea40fa8501e08839fb9e8af3b526
Opcode Fuzzy Hash: 0489b156fc8f2f6a97f22f3a678d8263aaf064a23da4189fb821371456fd1ad9
Instruction Fuzzy Hash: D8515F31B102159FDB54FF64D990B6FB7FAABC9244F108469C41ADF388EA70EC428B95

Function 06A44C69 Relevance: 2.6, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06A44DC9
fcq, xrefs: 06A44CA3

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 4893d7cd6776bce17b57a48731ddf959b594191ef2dea4b4d060e651d80da4f9
Instruction ID: c511b09a24cd63e94252432d6848c26c8e04c3eb548929ece5e7f691c4182364
Opcode Fuzzy Hash: 4893d7cd6776bce17b57a48731ddf959b594191ef2dea4b4d060e651d80da4f9
Instruction Fuzzy Hash: 1B517A71F102099FDB55AFA9C854BAEBBF6FBC8700F208529E105AF394DB748C018B95

Function 02C3EE90 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2975480446.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2c30000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6632224ab0280ae9fa1fb18c1c2622495fde37af79da65ab2406c7ab4feec4c9
Instruction ID: ee05e15e0f439aa5ba1322eea3bf7bcbbc2e4b312f716f3e1dea061d31c5fb5c
Opcode Fuzzy Hash: 6632224ab0280ae9fa1fb18c1c2622495fde37af79da65ab2406c7ab4feec4c9
Instruction Fuzzy Hash: 8741E172E0035A9FCB14DF69D84479EFBF5AF88310F15866AE408A7641EB789845CBD0

Function 02C38038 Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(00000000), ref: 02C380B0

Memory Dump Source

Source File: 0000000D.00000002.2975480446.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2c30000_GedTanqRR.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a6d64b2d91a8b2925539bdcb881ce2ad8d3b99c0b146404b05ff6b8c0e54a579
Instruction ID: 73a2af73b10368d7bac299eaaf8a087f723c998a6d029488dffbd408d1c61179
Opcode Fuzzy Hash: a6d64b2d91a8b2925539bdcb881ce2ad8d3b99c0b146404b05ff6b8c0e54a579
Instruction Fuzzy Hash: 1C2127B2C006199BCB14DF9AC54569EFBB4EB48320F11862AE858B7350D779A944CFE1

Function 02C38040 Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(00000000), ref: 02C380B0

Memory Dump Source

Source File: 0000000D.00000002.2975480446.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2c30000_GedTanqRR.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: aa71866f6be6ae870c8fb327e3fe1a20fb0a379335bd7de728445f15e7b505c6
Instruction ID: 4b30d1b2e300ffce0151cc6cee1cae6c4997e72be0b991bb876ca2b50cae9e8a
Opcode Fuzzy Hash: aa71866f6be6ae870c8fb327e3fe1a20fb0a379335bd7de728445f15e7b505c6
Instruction Fuzzy Hash: DD1136B1C006199BCB14DFAAC544A9EFBF4FF48320F11862AD818A7240D778AA44CFE1

Function 02C3EF78 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 02C3EFDF

Memory Dump Source

Source File: 0000000D.00000002.2975480446.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2c30000_GedTanqRR.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e7a87777884c9d017e1eab64905099d4c2ebaa96e4004fa55293dd3b1b5fc6e6
Instruction ID: 33556ed4aa3e13d877cbb96f7a4636fa182ca0fbfde6047e75ad120ceb8d43e5
Opcode Fuzzy Hash: e7a87777884c9d017e1eab64905099d4c2ebaa96e4004fa55293dd3b1b5fc6e6
Instruction Fuzzy Hash: A01123B1C002599FCB10DF9AC544BDEFBF4EF48320F11816AE818A7240D778A944CFA1

Function 06A4DBDD Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06A4DD39

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 0e9df78ae33a69f910be1789b1f58a32df55a88eb87c4b6b70bd73274bafea51
Instruction ID: 99123bcbfbd2b7f01e5ea6cf825a7c046d53e9367a1de35d04e1bb2cddc7c809
Opcode Fuzzy Hash: 0e9df78ae33a69f910be1789b1f58a32df55a88eb87c4b6b70bd73274bafea51
Instruction Fuzzy Hash: 27418F70E103199FDB55FFB5C8946AEBBB2BF86304F24492AD405EB240DB74E946CB81

Function 06A421BD Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06A4230B

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: cc2a1a461847ec7e7bc4341353768de0b46cbed278fd984d734394d475a51426
Instruction ID: eed0a4140634559f42933eb36750d261ffe604a54ad95a966b0d561eed92a02e
Opcode Fuzzy Hash: cc2a1a461847ec7e7bc4341353768de0b46cbed278fd984d734394d475a51426
Instruction Fuzzy Hash: B331DC31B102058FDB49BB74C95876E7BE2AFC9204F108868E406DF384DE35DE42CBA1

Function 06A421D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06A4230B

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: cf98ae4f3ffa9a45ccc2ef9d1ff5ebb710412539479b05038598b703c3f01e6f
Instruction ID: 1221ad369fc294c90c88cffde2707109475cdb35e7cb588a3a7de0159921d87b
Opcode Fuzzy Hash: cf98ae4f3ffa9a45ccc2ef9d1ff5ebb710412539479b05038598b703c3f01e6f
Instruction Fuzzy Hash: 02319C31B102058FDB59BB74C85476EBAE2ABC9344F608868E406DF384DF75DE42CBA5

Function 06A483E0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A4842B

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 302726413cabd7730691647a5b787198b2e1694a257d33119f11835c0683b55e
Instruction ID: 6ce3cf426a80504b12cc5b276404383181f0e23546fe3162daf81edf289c550c
Opcode Fuzzy Hash: 302726413cabd7730691647a5b787198b2e1694a257d33119f11835c0683b55e
Instruction Fuzzy Hash: 08F0DC32A102108FDF68BF58FD8066877ADEBC1395F204825C90ACF204CB29E906C751

Function 06A44B61 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06A44B6D

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: 51a1c4a89cff4854bb3a5d17129768ec06f4c640322ffb4fb9df4f279bda4608
Instruction ID: 5c32b6d857e1bc8974a9e384240ddd51dd5811bfced0f7a70bb734eedd52e132
Opcode Fuzzy Hash: 51a1c4a89cff4854bb3a5d17129768ec06f4c640322ffb4fb9df4f279bda4608
Instruction Fuzzy Hash: 75F0D030E54219DBDB14EF94D8997AEBBB2FF88701F204519E402A7295CB701C41CB80

Function 06A4C2A8 Relevance: .6, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f104e766881b7593a15f083cc0a75388d4833513f4d864c176d88b827bd72fd0
Instruction ID: 2dcc0bce8067c69823431a87ad4a2506da0104c4492b53a31ef0b2c496c1d94c
Opcode Fuzzy Hash: f104e766881b7593a15f083cc0a75388d4833513f4d864c176d88b827bd72fd0
Instruction Fuzzy Hash: D1328E35B112158FDB54FB68D990BADBBB2EBC8320F108529E40ADB355DB35EC42CB91

Function 06A4B3DF Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce36ab7b2a5e5d43a9bc7e9b23512d14efa2717309c5c69bb81994fd76059a8
Instruction ID: e7d68e2102e0b524f6ef1fd6cd0ef104102f6cc81ea2addcdba21b4af6f985c6
Opcode Fuzzy Hash: 1ce36ab7b2a5e5d43a9bc7e9b23512d14efa2717309c5c69bb81994fd76059a8
Instruction Fuzzy Hash: A0222A70E102098BDF64FB68D8907ADB7B2EB89315F248826E419DF395DB35DC81CB61

Function 06A46300 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cda1f9446d58935a64f1bd2623f5ed8e28f5a478f08b466aab9fe5ec1021e2d
Instruction ID: 07b497c7717eda0197116ebef096b712846764bcbf2e8a64634da0e055a07f39
Opcode Fuzzy Hash: 3cda1f9446d58935a64f1bd2623f5ed8e28f5a478f08b466aab9fe5ec1021e2d
Instruction Fuzzy Hash: B661AE71F001214FCB54AB79CC8466FEAD7AFD5620B25443AE80EDB364DE65ED0287C6

Function 06A443B2 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaf06e084f208430b8355a4ed4dfe0fc40bea4110ce0db1e4a2bcdd38e62158
Instruction ID: a868d3afe4bda323d1f28ab4715287db9e5aa2875fe66ebfa56cc5e91c2d2cbb
Opcode Fuzzy Hash: adaf06e084f208430b8355a4ed4dfe0fc40bea4110ce0db1e4a2bcdd38e62158
Instruction Fuzzy Hash: F3811C31B102099BDF54EFA9D95475EB7F6EBC9304F218429D40ADB394DB34EC428B51

Function 06A446CC Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7257bc6e554716146c9bf12ff3ef61c0ab1a2cf761557ecb12da7e0356083afc
Instruction ID: a1a09a83aa1c8e1265c0fa3d23b958e1c0c853b19b29617610aadbd79efc374b
Opcode Fuzzy Hash: 7257bc6e554716146c9bf12ff3ef61c0ab1a2cf761557ecb12da7e0356083afc
Instruction Fuzzy Hash: 05916C34E106198BDF60DF68C880B9DB7B1FF89300F208699D54DBB285DB70AA86CF51

Function 06A446E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1756784976946bca7cbac7c15540c309c7b54e268f3242d7b13f604f9b1a8a84
Instruction ID: 38d692e20fac484de308a0afa1ef5abeb29835385a65346d1b00eb397c35ea71
Opcode Fuzzy Hash: 1756784976946bca7cbac7c15540c309c7b54e268f3242d7b13f604f9b1a8a84
Instruction Fuzzy Hash: 9D914C74E106198BDF60DF68C880B9DB7B1FF89300F208699D54DBB245DB71AA85CF91

Function 06A4F031 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d051ff94065ca9429d7b12aef9a78c4c428e1faf9622b00bafa3de7c3fd093a8
Instruction ID: 71c099f2fcb76667aa55c9637b1ffb399ed730c2f62a07d290ae49fe6bf06621
Opcode Fuzzy Hash: d051ff94065ca9429d7b12aef9a78c4c428e1faf9622b00bafa3de7c3fd093a8
Instruction Fuzzy Hash: 96711971A002099FDB54EFA9D980A9DBBF6FFC4300F249969D419EB358DB30E846CB50

Function 06A4F040 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09569409f86669b5b1aec6e5fcdb2ff91682566083884cbc6dee6b8ee8c69bf1
Instruction ID: 0956bcfe71f98966f40dc6cc9ba0a0e67ef1c369e6cdff1111a6166d3ca7ec2c
Opcode Fuzzy Hash: 09569409f86669b5b1aec6e5fcdb2ff91682566083884cbc6dee6b8ee8c69bf1
Instruction Fuzzy Hash: FE711871B002099FDB54EBA9C980AADBBF6FFC4304F249569D419EB358DB70E846CB50

Function 06A4FCC1 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c6b7b2eda34a2c29a6ff6f180879a6ea00d7c8ca6945042134354dba9c5c64
Instruction ID: e540cf1ba6bf8c0796a490272831c89585647cfd4e7f292e41aff93c1959dff8
Opcode Fuzzy Hash: e5c6b7b2eda34a2c29a6ff6f180879a6ea00d7c8ca6945042134354dba9c5c64
Instruction Fuzzy Hash: F351DF31E001099FDF64FB78E8856ADB7B2FFC5316F10882AE00ADB241DB359856CB81

Function 06A4FA70 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d0e86fed80bf00d291dc7c0dd592ab2ca9c467760ed029f443a4400a00d6ac
Instruction ID: 7597b3927e9d78cbce3e5d95ec23c1f87889c3d0a047dd1d40392ac26cec91c6
Opcode Fuzzy Hash: 47d0e86fed80bf00d291dc7c0dd592ab2ca9c467760ed029f443a4400a00d6ac
Instruction Fuzzy Hash: 83518E71B302149FEF64BB68DC6472E269AD7C9311F20452AE50EDB395CB38DC425792

Function 06A4FA80 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7173d55c4aebd38726347be5b2f4c3b916c74a753f59c5c475c15c8a72b899c
Instruction ID: b1b13395c1bc49b4e25ba6096c824d71a760c68043ebbe2f15130fc11f1acc5f
Opcode Fuzzy Hash: d7173d55c4aebd38726347be5b2f4c3b916c74a753f59c5c475c15c8a72b899c
Instruction Fuzzy Hash: 6E517C71B302149FEF647B68DC64B2E269AD7C9311F20442AE50EDB395CF68DC4297A2

Function 06A45522 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37a570ed13beb07c4fdfc17eba07d51de108cf0999e5bc091267478e645fa3a
Instruction ID: 289ba5d743f5db57384a15ca2fa64bccf04b78fb07887268c7ffced72c4bfe0c
Opcode Fuzzy Hash: f37a570ed13beb07c4fdfc17eba07d51de108cf0999e5bc091267478e645fa3a
Instruction Fuzzy Hash: 55413971E006098FDF60EFA9DC81AAEFBB2EB94310F14492AE116DB650D734E8558B91

Function 06A4DA90 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221f78698224fa3ee010e870acecd94c59a0fb2987fe758eb42e18185ee4e7fa
Instruction ID: ebc9aed88ba7b53f68c19e4be1827577b788baab961d831d680ea908b9eaa683
Opcode Fuzzy Hash: 221f78698224fa3ee010e870acecd94c59a0fb2987fe758eb42e18185ee4e7fa
Instruction Fuzzy Hash: 74318671E1031A9BCF55FF64C98069EB7B2FFC5305F148925E405EB345DB70A9468B40

Function 06A42081 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c113091a8acb78a97be4ac6ea3cf481b084654cdbef8c2ce2506c1669017260
Instruction ID: df22996f15dabe86b63da61272c53b91ce8a3eeaefa0d34a4bc2da57f79ccc1d
Opcode Fuzzy Hash: 1c113091a8acb78a97be4ac6ea3cf481b084654cdbef8c2ce2506c1669017260
Instruction Fuzzy Hash: EB315E75E106099BCB55EFA8D89479EB7F2FF89310F108519E806EB350DB71AD42CB50

Function 06A42090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd89a8028df9cb03cc76c8e6752dabe56dbd10d778156cae9b99e732c8cc0abf
Instruction ID: a1d99e17cabb9005f9e3bcc4fb4ffe7723847f7c7171284bfd40dd8e2af5267c
Opcode Fuzzy Hash: dd89a8028df9cb03cc76c8e6752dabe56dbd10d778156cae9b99e732c8cc0abf
Instruction Fuzzy Hash: C1317034E102099BCB55EFA8D89469EB7F6FFC9300F108529E806EB340DB71AD42CB50

Function 06A4A418 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a38aebd98f033b738382bf3fcb1497dc1d67abe4d25f7069c37361b258af341
Instruction ID: 2733ff4062ce266376ba6ce63d742bf3e279717b0345b4d0c8ad6e58bc0a2982
Opcode Fuzzy Hash: 9a38aebd98f033b738382bf3fcb1497dc1d67abe4d25f7069c37361b258af341
Instruction Fuzzy Hash: DA217F72F101114FDB94BB6CE89076EB7A6EBC5714F108839E60DDB398EE21DC428781

Function 06A43FB9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d65797850a8f80cd7a62687cd70f7ac1964b04b554099e192df90cfa4a2104
Instruction ID: e1eb7e3390c4f65a929101bb231169e36de2351115426e3219460806e2e931bf
Opcode Fuzzy Hash: a6d65797850a8f80cd7a62687cd70f7ac1964b04b554099e192df90cfa4a2104
Instruction Fuzzy Hash: 96217A76E002159FDB40EFB9D981BAEBBF5EF88310F108025E904EB394E735D9518B95

Function 06A43FC8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b4bbfb29208678941a36957d04baf12d9c22d063ffa42ce4a610db407d2047b
Instruction ID: 0c60d4b7f69bf78e64836ab4ee8c4ddd0c1efdeffb4f4539511aeca7589acaa1
Opcode Fuzzy Hash: 8b4bbfb29208678941a36957d04baf12d9c22d063ffa42ce4a610db407d2047b
Instruction Fuzzy Hash: D1219C72E002059FDB50EF79D840AAEBBF5EB88310F108029E905EB344E735D9018B91

Function 0114D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2974131967.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_114d000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017eb109fab6dbbc4544f9c3e43ac969fca0e414bb64bc61edcb7c23d01b8367
Instruction ID: 7fd38f609f1a44f412f35d7b2cadfc655c1f4b423660440276bff1d995478f57
Opcode Fuzzy Hash: 017eb109fab6dbbc4544f9c3e43ac969fca0e414bb64bc61edcb7c23d01b8367
Instruction Fuzzy Hash: 882125B1604200DFCF19DF98E9C0B26BBA5FB94714F24C56DD90A0B242C336D407CB62

Function 06A440D8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb49155d646c73f9dcc374361f66119c548f3004889ef7f6242c8b4ec6b41c1
Instruction ID: 997dd396ec9912682f97fa85c57312f61656af2cf7a09cbccad5c459090efd4a
Opcode Fuzzy Hash: fcb49155d646c73f9dcc374361f66119c548f3004889ef7f6242c8b4ec6b41c1
Instruction Fuzzy Hash: F2118E32B141299FDB54B668CC54AAE77EAEBC8314F004039D40AEB344DE65DC028BD1

Function 06A44310 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acae13f198c34352dd41bb2899474a99818666020cf10672597b75a382cf4d5f
Instruction ID: ccd93876696c726f723993010bfc0988459c81a6d220bab0d52a96d2387108d5
Opcode Fuzzy Hash: acae13f198c34352dd41bb2899474a99818666020cf10672597b75a382cf4d5f
Instruction Fuzzy Hash: A801B132F101111BEB64B6ADA84076EB3DADBCAB20F148439E00ECF385EE65EC024385

Function 06A42370 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5f6e335df1f59289f5b0a2b26a145b3ac85662c8d0e5c301d4c91e8e79246a
Instruction ID: 0ce8ba8ed5f9db68b27c740e5cd212c9e0a415edbd62445e5c4cb8d61d96a263
Opcode Fuzzy Hash: 8e5f6e335df1f59289f5b0a2b26a145b3ac85662c8d0e5c301d4c91e8e79246a
Instruction Fuzzy Hash: 0F21FFB1D01219AFCB00EF9AD884ADEFBF4FF49310F10812AE918A7240D374A954CFA4

Function 06A43D92 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20f5b07f002b6041bc71f4c4f7cf0d7801b17ceaf164214b9791b70e4738230
Instruction ID: e547cc10e23056d01c2af0ad68c2f336a1b1f4a890c84d6bd0e34426b8c581fa
Opcode Fuzzy Hash: f20f5b07f002b6041bc71f4c4f7cf0d7801b17ceaf164214b9791b70e4738230
Instruction Fuzzy Hash: 2121C2B5D01219AFCB10DF9AD885ADEFBF4FB49310F50852AE518A7240C378A954CFA5

Function 0114D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2974131967.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_114d000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: fc290cff0d248ce897bb669964c3ace2fc28feb8ad3465aee6c0004d29091765
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 5411BB75504280CFDF16CF58E5C4B15BBB2FB84724F28C6AED8494B696C33AD44ACB62

Function 06A4F2B0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5d67d1ca151991ad7ed16305f8869a3227605dbba4ed503c245b8663198a02
Instruction ID: f893bf06eff29cb538cd183147c8d683bba6aa2f0e13d2909287437551872868
Opcode Fuzzy Hash: da5d67d1ca151991ad7ed16305f8869a3227605dbba4ed503c245b8663198a02
Instruction Fuzzy Hash: 8901F275B141104FCB55E77CA99472EA7DADBCA211F148879E10ECB380DE54DC038B86

Function 06A44320 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66528d8621a586d68061644b776c385ad08d3b899fb75e8afd169775c7187d4e
Instruction ID: 947ddc1904c5259ecf2415ebbe99c85629b42f04b948a95900187c71fc287a27
Opcode Fuzzy Hash: 66528d8621a586d68061644b776c385ad08d3b899fb75e8afd169775c7187d4e
Instruction Fuzzy Hash: 2E016D31B101101BDB64B6ADA85472FF3DADBCAB21F248839E50ECB344DE61EC024395

Function 06A440C9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f33a95692b16ad17c72c5ae6a382b4c34c28a9056a8786561058dbc352361ba
Instruction ID: d432779282ee174f5b7f1f653096a0bcf56bc74e14938508e5e903acc687835e
Opcode Fuzzy Hash: 1f33a95692b16ad17c72c5ae6a382b4c34c28a9056a8786561058dbc352361ba
Instruction Fuzzy Hash: 8E018B36F241295BEB94B668DC517AA63EADBC8214F144036D50AEB344EA649C1247D2

Function 06A4F2C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6087faa9bcd17d7e5f534eb52a92dc74339ad84dcb991dedd5a9873e158b72
Instruction ID: f9a60bcb1124b23f4a27eeb9fa8571dc90e4e333e128523de2771b9b422c9df9
Opcode Fuzzy Hash: 6a6087faa9bcd17d7e5f534eb52a92dc74339ad84dcb991dedd5a9873e158b72
Instruction Fuzzy Hash: F7018C35B101105FCB64B6ADA89472EA2DADBCA621F249839E50ECB344EE25EC034786

Function 06A4A428 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c48e1dc04d6059e9fa8ea173ce1d00e5fec13cdbb7daa058abeb5f335c2eaf5
Instruction ID: ac37aa763c1eabb032e5cb9ecc2ac8e0c459531eddd3de6b52c47e3735407434
Opcode Fuzzy Hash: 7c48e1dc04d6059e9fa8ea173ce1d00e5fec13cdbb7daa058abeb5f335c2eaf5
Instruction Fuzzy Hash: C7016D31B201144BDB64BB7CE85472E77DADBC9764F108828E20ECB398DE21DC428785

Function 06A4C900 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c32198bd20f6d8c8cc1e10d503a7dc5b95bb6ef01936e7fe8748274b03b7d4
Instruction ID: 6db20268dc1cc534b4d692cf324b3ff9b34399f904a29df7063402b276ca1573
Opcode Fuzzy Hash: b7c32198bd20f6d8c8cc1e10d503a7dc5b95bb6ef01936e7fe8748274b03b7d4
Instruction Fuzzy Hash: D501A932F21224ABCB58BB69EC4069D7776F7C5364F104429E509DB345DB32A8058BC4

Function 06A46580 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e89575bff7b37e3b8eafeec7e82f600c02e30c193e17bed7554c12c3bd3bac
Instruction ID: fea96cc93226ead3cbcbb84c124f7a4c697d802c33073f0ddee5634f6af147ed
Opcode Fuzzy Hash: d1e89575bff7b37e3b8eafeec7e82f600c02e30c193e17bed7554c12c3bd3bac
Instruction Fuzzy Hash: A6E04871D151445FDF50FB70CF5935A7BA49B83205F2048E6D844DB14AE176CE45C742

Non-executed Functions

Function 06A477B0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A478D1
$^q, xrefs: 06A47CFC
$^q, xrefs: 06A478A0
$^q, xrefs: 06A47D12
$^q, xrefs: 06A47C5D
$^q, xrefs: 06A47C69
$^q, xrefs: 06A478AC
$^q, xrefs: 06A47D08
$^q, xrefs: 06A478DD
$^q, xrefs: 06A47D1E

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 3496f0258ad8b91a5198edda58e9d166cf041313f0fa0677888bd8a2d836ea79
Instruction ID: e92507452cc7cb17e158bbc66ebb582097309af07afd274ddeb7def701a72ac8
Opcode Fuzzy Hash: 3496f0258ad8b91a5198edda58e9d166cf041313f0fa0677888bd8a2d836ea79
Instruction Fuzzy Hash: 50122A31E102598FDB68EF64C844AADB7F6BF88305F208969D409AB354DB30DD85CF81

Function 06A4AA48 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A4ABD0
$^q, xrefs: 06A4AB99
$^q, xrefs: 06A4AB3E
$^q, xrefs: 06A4ABA5
$^q, xrefs: 06A4AB4A
$^q, xrefs: 06A4ABFA
$^q, xrefs: 06A4ABC4
$^q, xrefs: 06A4AC06

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: ed33515c0cdcf94884b62657e0347feeaf7a888aacc24c82575c3d6cb593c863
Instruction ID: 71adaaa5152769bfa25199f5d4000643407d040402a4702a8ca63f0d8b02a37a
Opcode Fuzzy Hash: ed33515c0cdcf94884b62657e0347feeaf7a888aacc24c82575c3d6cb593c863
Instruction Fuzzy Hash: 8C916E71E502099FDBA8FBA4D944BAE7BF2BF84301F108829D9059B358DB749C45CB90

Function 06A471B0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

.5vq, xrefs: 06A4720B
$^q, xrefs: 06A476B8
$^q, xrefs: 06A476C4
$^q, xrefs: 06A474EC
$^q, xrefs: 06A47492
$^q, xrefs: 06A474F8
$^q, xrefs: 06A4764C

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: d2ed195d2e888a0190b5cafc1d5909319cf83fbe6d6318e294a6c7fa836b8109
Instruction ID: eccd584daad078cb5d1cd82ce43b228b33d53159a6865e1b444148d1a0e073f1
Opcode Fuzzy Hash: d2ed195d2e888a0190b5cafc1d5909319cf83fbe6d6318e294a6c7fa836b8109
Instruction Fuzzy Hash: 5FF12A31A102498FDB59FB68C894A6EBBB7FF84301F248969D4059F358DB35EC42CB80

Function 06A4BB28 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A4BCF5
$^q, xrefs: 06A4BCCD
$^q, xrefs: 06A4BD35
$^q, xrefs: 06A4BD01
$^q, xrefs: 06A4BCC1
$^q, xrefs: 06A4BD29

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: e3e58eb095ac6615fe7923b0dc354c06a15b59f45979f043b41b7309efde845b
Instruction ID: c4cfc135c038da2d42d487c3666020c6668556b9b809c5d2d0f1df0d9e530d88
Opcode Fuzzy Hash: e3e58eb095ac6615fe7923b0dc354c06a15b59f45979f043b41b7309efde845b
Instruction Fuzzy Hash: 3B717C30E102198FDB68FFA9D8806ADB7F2FFC5305B10896AD40A9F254DB71E945CB91

Function 06A484E8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A48742
$^q, xrefs: 06A487A7
$^q, xrefs: 06A487B3
$^q, xrefs: 06A4874E

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: efe36be1dae20961f9f4e34af3d0a15c5119a196b2af7869dfba36de2d93d80a
Instruction ID: 6f114dfe4fa6587cd09c197742e936b4c06ffd9f6b2e2f5e901a0c52e30ad08c
Opcode Fuzzy Hash: efe36be1dae20961f9f4e34af3d0a15c5119a196b2af7869dfba36de2d93d80a
Instruction Fuzzy Hash: 8FB11D30E102198FDB58FF68D99466EB7B2BF84305F248829D41A9B354DB79DC86CB81

Function 06A48900 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A4897F
LR^q, xrefs: 06A48A42
LR^q, xrefs: 06A489F3
$^q, xrefs: 06A4898B

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: a0ac2ac05307a64f7ae402eb5802501207bce731faf367142c2fe74c39f9da86
Instruction ID: a927173f6253525ee16555660e888e311d6550183de70490ecb8731dc5ff8b07
Opcode Fuzzy Hash: a0ac2ac05307a64f7ae402eb5802501207bce731faf367142c2fe74c39f9da86
Instruction Fuzzy Hash: A851B031B102018FDB58FB28D890A6EB7F6BFC5301B108968E4159F399DB35EC41CB91

Function 06A4ADD6 Relevance: 5.2, Strings: 4, Instructions: 158COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A4AF83
$^q, xrefs: 06A4AF54
$^q, xrefs: 06A4AF01
$^q, xrefs: 06A4AFAC

Memory Dump Source

Source File: 0000000D.00000002.3020303162.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a40000_GedTanqRR.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: d81ea41d2e0b1ac3693117eb9aae7d23c85d332f19321c3d57cc1dd56d5b890f
Instruction ID: 39a616362e4b2e1fc8f5aec6c9e7e6d4f68ae086b3072101ffecf073a1dad170
Opcode Fuzzy Hash: d81ea41d2e0b1ac3693117eb9aae7d23c85d332f19321c3d57cc1dd56d5b890f
Instruction Fuzzy Hash: 13517971E112158BDB69FB64D9806AEB7B2EFC5301F208929E916DF358DB31DC41CB90

Analysis Process: sgxIb.exePID: 7260, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	104
Total number of Limit Nodes:	8

Executed Functions

Function 01A0CFF1 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 01A0D07E
GetCurrentThread.KERNEL32 ref: 01A0D0BB
GetCurrentProcess.KERNEL32 ref: 01A0D0F8
GetCurrentThreadId.KERNEL32 ref: 01A0D151

Memory Dump Source

Source File: 0000000F.00000002.1914028477.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1a00000_sgxIb.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: db20c7e16ccb3d86bf26de46df2608a77b71f77327142a5ee0dc51f82ae9d9c9
Instruction ID: aae7e9ab5de8320c08b4890178e44abae04bb5d9e0742bad63a6dec1583a2d52
Opcode Fuzzy Hash: db20c7e16ccb3d86bf26de46df2608a77b71f77327142a5ee0dc51f82ae9d9c9
Instruction Fuzzy Hash: E85157B19003098FEB14DFA9D548B9EBFF1EF48314F248459E41AAB3A0DB749984CF65

Function 01A0D000 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 01A0D07E
GetCurrentThread.KERNEL32 ref: 01A0D0BB
GetCurrentProcess.KERNEL32 ref: 01A0D0F8
GetCurrentThreadId.KERNEL32 ref: 01A0D151

Memory Dump Source

Source File: 0000000F.00000002.1914028477.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1a00000_sgxIb.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a7f19120cb4dc89cd8dc20f825ec57512ef532fe8cbbe6ed7169c2af433f8ad1
Instruction ID: a5db5088541b8898104d5bde7e84bc2a4846995a657200c983c272c5a28fc576
Opcode Fuzzy Hash: a7f19120cb4dc89cd8dc20f825ec57512ef532fe8cbbe6ed7169c2af433f8ad1
Instruction Fuzzy Hash: E05147B19003098FEB14DFA9D548B9EBBF1EF48314F208459E419AB3A0DB745984CF65

Function 0B82EF08 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0B82F13E

Memory Dump Source

Source File: 0000000F.00000002.1922508497.000000000B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b820000_sgxIb.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1342eec363e463f1f9b4019bf0f8cb6e2e0c9338b3ab12274f267352209453c0
Instruction ID: 22f92ae6aa7c253563272de1d332e136c292186585457b88dab240c565e42623
Opcode Fuzzy Hash: 1342eec363e463f1f9b4019bf0f8cb6e2e0c9338b3ab12274f267352209453c0
Instruction Fuzzy Hash: 6A915D71D0032A9FDB24DFA8C8407DEBBB2BF45314F1485A9D909E7290DB749985CF92

Function 01A0AD68 Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01A0AFBE

Memory Dump Source

Source File: 0000000F.00000002.1914028477.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1a00000_sgxIb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 25573073a3b507d3263d210576257e3153dc8fee43f54b7a3ef0974c1bd5d6b8
Instruction ID: 62f542100925ffca1c8c2d03277b5ee28b3b564f7c7143eabb128e614691b40c
Opcode Fuzzy Hash: 25573073a3b507d3263d210576257e3153dc8fee43f54b7a3ef0974c1bd5d6b8
Instruction Fuzzy Hash: 858168B0A00B058FD725DF69E44475ABBF1FF88304F04892ED08ADBA91DB74E849CB90

Function 01A058ED Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01A059A9

Memory Dump Source

Source File: 0000000F.00000002.1914028477.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1a00000_sgxIb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2da3cf36dbeee00d6995bf6456da0a867b8d6a3140fa9e0b91db9d62f85287e8
Instruction ID: 21b83425a1056e864bcbe1bd60b5b897fb691a188da8e66448a603f504c6528d
Opcode Fuzzy Hash: 2da3cf36dbeee00d6995bf6456da0a867b8d6a3140fa9e0b91db9d62f85287e8
Instruction Fuzzy Hash: C55100B1C007198EDB24CFA9D8887DDBBF1AF49314F24806AD419AB291C779694ACF91

Function 01A044B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01A059A9

Memory Dump Source

Source File: 0000000F.00000002.1914028477.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1a00000_sgxIb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e29f146c9de4be63ce96d1e86c685856ac473d1dcba9c6511ddba4120b798c0b
Instruction ID: c4a46f3a45873d8fe5c62fd0298cab06230275e45a644f9fdbac9e6a0cc1ba24
Opcode Fuzzy Hash: e29f146c9de4be63ce96d1e86c685856ac473d1dcba9c6511ddba4120b798c0b
Instruction Fuzzy Hash: B241F1B0C0071DCFDB24DFA9C884B9DBBB5BF49304F20806AD409AB251DB756946CF91

Function 0B82EC80 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0B82ED10

Memory Dump Source

Source File: 0000000F.00000002.1922508497.000000000B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b820000_sgxIb.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 33b067d0c6001903d71c07b2d33e30b6fd5f0652910e79d25eb32f519ab8ed5e
Instruction ID: aa992d2e0ee4b41ab4e779a67986f836be9b846d7a6c0ae959ae5a23f36df4ed
Opcode Fuzzy Hash: 33b067d0c6001903d71c07b2d33e30b6fd5f0652910e79d25eb32f519ab8ed5e
Instruction Fuzzy Hash: E82139B19003199FCB10DFA9C885BDEBBF5FF48310F10842AE959A7251C778A954DBA4

Function 0B8015F8 Relevance: 1.6, APIs: 1, Instructions: 64
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B8015C5

Memory Dump Source

Source File: 0000000F.00000002.1922431803.000000000B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b800000_sgxIb.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 16eecf67cb7ecd5ca1065dc01cd037c3e10fd8bb898f8dd0e9423b8596230258
Instruction ID: 720785a3a0902335b2fc0bec09e65c32e4ffd1b0479374228018e5e82f0512f9
Opcode Fuzzy Hash: 16eecf67cb7ecd5ca1065dc01cd037c3e10fd8bb898f8dd0e9423b8596230258
Instruction Fuzzy Hash: 73219FB29152588FDB10EFA5DC0A7DEBBF4AB44360F148059E511BB2A1CB35A944CBA1

Function 0B82EAE8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0B82EB66

Memory Dump Source

Source File: 0000000F.00000002.1922508497.000000000B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b820000_sgxIb.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6dbc537497f123ef894dd4517bcb992612893e7a03ca2fc05f896e9f8e1ea182
Instruction ID: 3d6007363567a09410ce1edc812c803fac98bfbf9a75c993903c0f817f1966fb
Opcode Fuzzy Hash: 6dbc537497f123ef894dd4517bcb992612893e7a03ca2fc05f896e9f8e1ea182
Instruction Fuzzy Hash: 8A2138B19003098FDB10DFAAC4857EEBBF4EF88320F148429D519A7241CB78A984CFA5

Function 0B82ED70 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0B82EDF0

Memory Dump Source

Source File: 0000000F.00000002.1922508497.000000000B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b820000_sgxIb.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1ce5bd7d64d91b8581a1aa5043c9fdf1d223689055d6984b82745b495d9a762b
Instruction ID: bf3ff14758220ae6b8203411c95f93e17eb7ae91d3c9a241ebe530fbc552fd24
Opcode Fuzzy Hash: 1ce5bd7d64d91b8581a1aa5043c9fdf1d223689055d6984b82745b495d9a762b
Instruction Fuzzy Hash: FB2128B18003599FCB10DFAAC845BDEFBF5FF48310F108429E519A7250C7749954DBA5

Function 01A0D648 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01A0D6D7

Memory Dump Source

Source File: 0000000F.00000002.1914028477.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1a00000_sgxIb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 006f72e55898688d4036ed47c99bea835526dc848c7fffaee8aa9b33d765df3c
Instruction ID: 9a870961ebcc22c7e7415d076190358b7417e2839ef48952bcb41f5a43db2381
Opcode Fuzzy Hash: 006f72e55898688d4036ed47c99bea835526dc848c7fffaee8aa9b33d765df3c
Instruction Fuzzy Hash: B32114B5D002089FDB10CFA9D984ADEBFF4EB48310F14801AE958A7350C378A940DF60

Function 01A0D650 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01A0D6D7

Memory Dump Source

Source File: 0000000F.00000002.1914028477.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1a00000_sgxIb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0566154db0af6b3ca89f6d8f48ce7f8334b129032a13cef05db540f0295ad380
Instruction ID: c043a2d18c27c8a5a0ae5023940be29bbb0c8c5a5b5978fbe17cef824e3da186
Opcode Fuzzy Hash: 0566154db0af6b3ca89f6d8f48ce7f8334b129032a13cef05db540f0295ad380
Instruction Fuzzy Hash: B821E4B59002089FDB10CFAAD884ADEBFF4EB48310F14801AE918A7350D374A954DF65

Function 0B822770 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0B8227EB

Memory Dump Source

Source File: 0000000F.00000002.1922508497.000000000B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b820000_sgxIb.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e5c1ecbe1514726009e742974f9c3000530522871aee4c235382885d607e7246
Instruction ID: c79ea98fee98c2e195805c96293fa8f56267ef79d643a65375fff1c5bf6587f5
Opcode Fuzzy Hash: e5c1ecbe1514726009e742974f9c3000530522871aee4c235382885d607e7246
Instruction Fuzzy Hash: 4D2108B5D002499FCB10DF9AC544BDEBBF4FB48320F148469E958A7251D378A644CFA1

Function 0B822778 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0B8227EB

Memory Dump Source

Source File: 0000000F.00000002.1922508497.000000000B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b820000_sgxIb.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e9527880c11068504882115cf888c48def6f61a60cb25c65ba1e199d6032228d
Instruction ID: 4ad226a86f9c003d5907117dda71926a294e1046cf1a62a4d282cdc9ee4ba409
Opcode Fuzzy Hash: e9527880c11068504882115cf888c48def6f61a60cb25c65ba1e199d6032228d
Instruction Fuzzy Hash: 8921E4B59002499FCB10DF9AC884BDEFBF4FB48320F108429E958A7251D778A644CFA1

Function 0B82EBC0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0B82EC2E

Memory Dump Source

Source File: 0000000F.00000002.1922508497.000000000B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b820000_sgxIb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2f95a551f154f77953c70b73515c29f78f8796dcd698636aec2c400f3584676e
Instruction ID: 362a518ffe6d9255ebcd35712a23afd07d1a0d981a8c37ed74a80b762e30ac0b
Opcode Fuzzy Hash: 2f95a551f154f77953c70b73515c29f78f8796dcd698636aec2c400f3584676e
Instruction Fuzzy Hash: D91167B18003099FCB10DFAAC845AEFBFF5EF88320F248419E519A7250CB75A954DFA5

Function 0B82EA38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0B82EA9A

Memory Dump Source

Source File: 0000000F.00000002.1922508497.000000000B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b820000_sgxIb.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 24a28d4df1649bfbc1b4a9b04cbb8ee4876aaca60cdf5fad7238795ef8ca38eb
Instruction ID: 4d760346fd0507441059d2de912e69cbb02f1d78b37f4cb42afc726c08a9723e
Opcode Fuzzy Hash: 24a28d4df1649bfbc1b4a9b04cbb8ee4876aaca60cdf5fad7238795ef8ca38eb
Instruction Fuzzy Hash: 6E1136B19003498FDB20DFAAC4457DEFBF5EB88324F248819D51AA7250CB75A944CBA5

Function 01A0AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01A0AFBE

Memory Dump Source

Source File: 0000000F.00000002.1914028477.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1a00000_sgxIb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0fc4268c07b78bb12acf94bba2f4cb4222dadab61d8bb7cb36835ef577066e3e
Instruction ID: 1830394fefa041038d147c4d476c7e9570f7b9410c7f6defc9e7527ff144768f
Opcode Fuzzy Hash: 0fc4268c07b78bb12acf94bba2f4cb4222dadab61d8bb7cb36835ef577066e3e
Instruction Fuzzy Hash: 5D1110B5C003498FDB10CF9AD444ADEFBF4EB88324F10841AD419A7650C779A545CFA1

Function 0B801568 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B8015C5

Memory Dump Source

Source File: 0000000F.00000002.1922431803.000000000B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b800000_sgxIb.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: efc03bf0e9a0e24c13eaf7120defc79996f417b1e369193ec91caa24578b51dc
Instruction ID: 042352cbcbd3177a4acf11b9d8a151ea38f0f8454c9629b37064bd8321a6fd3e
Opcode Fuzzy Hash: efc03bf0e9a0e24c13eaf7120defc79996f417b1e369193ec91caa24578b51dc
Instruction Fuzzy Hash: 8C11E5B58003499FDB10DF9AD849BDEFFF8EB48320F108459E519A7650C775A544CFA1

Function 0B801562 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B8015C5

Memory Dump Source

Source File: 0000000F.00000002.1922431803.000000000B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b800000_sgxIb.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 357c1f218cbfae61b103fce6096e21da3ebcd96d0afa490052f0fc9001e064a0
Instruction ID: 7ff2c8db98402154a987b4bdfab4669089d5f7687a7e79b67c0f3851d5c84273
Opcode Fuzzy Hash: 357c1f218cbfae61b103fce6096e21da3ebcd96d0afa490052f0fc9001e064a0
Instruction Fuzzy Hash: ED1115B5800349DFDB10DF99D949BDEBBF8EB48320F10840AE519B7650C374A544CFA1

Function 0161D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1912709538.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_161d000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63882e3a89d37fc6f24073d9bc24f3a19192eae7687f8c43c4b4058a4941ef6
Instruction ID: 7e30592d91fd9e03bcd5eecbc51ca5cfde43fe607951de94249dd7ed1452d54b
Opcode Fuzzy Hash: e63882e3a89d37fc6f24073d9bc24f3a19192eae7687f8c43c4b4058a4941ef6
Instruction Fuzzy Hash: 1721D871504240DFDB05DF98DDC8B66BFA5FB84324F28C669EA190B35AC336D416CB61

Function 0163D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1912794226.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_163d000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d12f67eb6c647fc84f14a691469f6ec373fd581d20f097ac19fa120950b2d7
Instruction ID: aa9097b7b71b1917f1d78a8739782315dcc81c8a3720ffc149ac4650f832ccb2
Opcode Fuzzy Hash: b7d12f67eb6c647fc84f14a691469f6ec373fd581d20f097ac19fa120950b2d7
Instruction Fuzzy Hash: 3B21F571604200EFDB05DF98D9C4B25BBA5FBC4324F64C66DEA0A4B352C736D416CA61

Function 0163D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1912794226.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_163d000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef052dce16db20202986f5ac190991b46957732a65e183293b196488482b079
Instruction ID: 740b2016b4f36b26f0a6cf626b5de40e59039fb62d60053eeab311685e693a59
Opcode Fuzzy Hash: 9ef052dce16db20202986f5ac190991b46957732a65e183293b196488482b079
Instruction Fuzzy Hash: 192100B1604200DFCB15DF68D8C4B26FBA5FB84714F60C96DE80A0B382C33AD807CA61

Function 0161D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1912709538.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_161d000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3660dfe55a9ec3abc1fd528c2c7e977daaa4d4c3ae68719e8bb560421c7628fc
Instruction ID: b109c35cb0f3943a7c7211d4292ef83e2669d000c41dde9b6a03d6c1ae988cff
Opcode Fuzzy Hash: 3660dfe55a9ec3abc1fd528c2c7e977daaa4d4c3ae68719e8bb560421c7628fc
Instruction Fuzzy Hash: E021B176504240DFDB16CF54D9C8B56BF72FB84324F28C6A9DD090B65AC33AD42ACBA1

Function 0163D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1912794226.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_163d000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 5c462fb9ea37a3bb2852c33549b3b774ea09eadacdf29da133626a02a99bde80
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 8F11BE75504280CFDB12CF54D9C4B15FBA2FB84714F24C6A9D8494B796C33AD40ACB61

Function 0163D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1912794226.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_163d000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 5bcb5c2213590f328eb918be1a09769ec17ac942c42dc1c949f6ef2e0adc3948
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 8911BB75904280DFDB02CF54C9C4B15BBB2FB84224F24C6ADD9494B396C33AD40ACB61

Analysis Process: sgxIb.exePID: 7960, Parent PID: 7260COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	164
Total number of Limit Nodes:	21

Executed Functions

Function 06ED3580 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06ED3C8B
$^q, xrefs: 06ED3C56
$^q, xrefs: 06ED3C62
$^q, xrefs: 06ED3C7F
$^q, xrefs: 06ED3CAF
$^q, xrefs: 06ED3CA3

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 61217bfa8c7e772381148594766ce23b16ced68d1e3e890c0afab5aec901340d
Instruction ID: e87e4274a5a066e8e8b32258465ac9633fde071fc5e9db719f613b4539f7d233
Opcode Fuzzy Hash: 61217bfa8c7e772381148594766ce23b16ced68d1e3e890c0afab5aec901340d
Instruction Fuzzy Hash: 3C322D35E1071A8FCB14DF64D8945ADB7B6FFC9300F2096A9D409AB254EF30AD86CB91

Function 06ED0040 Relevance: 2.0, Instructions: 1975COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638ba57be6334e4d58c5899292e56ade1ba4c857ae384a01af607cb8ec19536b
Instruction ID: 94676fe9763c74c0144b9175d177e7a1e4f193d614264b4907d90c04fbb55063
Opcode Fuzzy Hash: 638ba57be6334e4d58c5899292e56ade1ba4c857ae384a01af607cb8ec19536b
Instruction Fuzzy Hash: EB23FA31D10B198ECB15EF68C8905ADF7B1FF99300F15D79AE458A7221EB70AAC5CB81

Function 06ED6708 Relevance: .8, Instructions: 816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c60f28c15490e766b9c2b7cc1e51f6f78683fa85584ba12b466b40fa57abfe
Instruction ID: a2d0328a45ff7d380c02bfb43372004a81189a5061e9d63a30bb634a73546f55
Opcode Fuzzy Hash: f4c60f28c15490e766b9c2b7cc1e51f6f78683fa85584ba12b466b40fa57abfe
Instruction Fuzzy Hash: 8B629D34A003059FDB54DB68D594AADB7F2FB88318F249569E809EB394DB35EC42CB81

Function 06EDADE8 Relevance: 10.4, Strings: 8, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06EDAF8B
$^q, xrefs: 06EDAF5C
$^q, xrefs: 06EDAFC0
$^q, xrefs: 06EDAFB4
$^q, xrefs: 06EDAF09
$^q, xrefs: 06EDAF97
$^q, xrefs: 06EDAF68
$^q, xrefs: 06EDAF15

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: e0be8d1c7c5903fe8daa724bf2792bbde161da59cac9449502410acab12db8a7
Instruction ID: 628402ba869fba3030a3ae2be802b82afcdd5d76ef387d9025aa576ce5fb4aa4
Opcode Fuzzy Hash: e0be8d1c7c5903fe8daa724bf2792bbde161da59cac9449502410acab12db8a7
Instruction Fuzzy Hash: 1CE17D70E103198FCB65DF69D4846AEB7B2FB89304F209929D409AB344EF34ED46CB81

Function 06ED9268 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06ED931F
$^q, xrefs: 06ED92E4
$^q, xrefs: 06ED92D8
$^q, xrefs: 06ED9313

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 8c9b47325ca68a6ed8b7a0cb3d9c963018250647ef31f013361e913be40c83f0
Instruction ID: 53ab6975a1f0ef449e9bd719813eadd8a4573992193b6ab7f2e4524037453756
Opcode Fuzzy Hash: 8c9b47325ca68a6ed8b7a0cb3d9c963018250647ef31f013361e913be40c83f0
Instruction Fuzzy Hash: 6F912C34B1021A9BDB95DB65D8907AEB3F6FBC9304F109569C40DEB345EE34AC428B91

Function 06EDD070 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06EDD47B
$^q, xrefs: 06EDD467
$^q, xrefs: 06EDD46F

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: bf0c2615ab1f0d8c0b934117d049adc178a4f3e3ef9886bb1401bb97cff17f3b
Instruction ID: 5994b6d4f3d9dcceb323d1320684a7a4a503709f81182725ec22ff01b0dd5ebf
Opcode Fuzzy Hash: bf0c2615ab1f0d8c0b934117d049adc178a4f3e3ef9886bb1401bb97cff17f3b
Instruction Fuzzy Hash: 01623F70B0031A8FCB55DB69E984A5DB7F2FF84305B209A29D0099F358DB75ED86CB81

Function 075B2148 Relevance: 4.1, Strings: 3, Instructions: 350
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 075B247F
(bq, xrefs: 075B22C2
(bq, xrefs: 075B22ED

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 1986eee2b556088403772d1bd68f2c08903eba0abe023a44c86eccc6386a17aa
Instruction ID: b54caf2a88db9275e33ac6ecd265125d58260b59e47c18e901fd9ac7e447aa70
Opcode Fuzzy Hash: 1986eee2b556088403772d1bd68f2c08903eba0abe023a44c86eccc6386a17aa
Instruction Fuzzy Hash: F0D194B1E002099FDB14DFA9C8546EEBBF2FF89310F148569D409AB391DB749D41CBA1

Function 06ED4C80 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ocq, xrefs: 06ED4E5B
XPcq, xrefs: 06ED4DD1
fcq, xrefs: 06ED4CAB

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 23c9a8e13af9f90ef0514ada9be5d51e1efc1d371154d310da0a85e6bff9de11
Instruction ID: 4498a2fcf93a61e7c9622518e70077c12da93787ba2a64a8e8ed77aa8d8e8fbc
Opcode Fuzzy Hash: 23c9a8e13af9f90ef0514ada9be5d51e1efc1d371154d310da0a85e6bff9de11
Instruction Fuzzy Hash: 04617370F002199FEB549FA5C8547AEBBF6FB88700F20842AE509AB395DF759C058B51

Function 06ED8193 Relevance: 2.7, Strings: 2, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06ED843F
$^q, xrefs: 06ED8433

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: e24587058efff9457c828bb40f2a9becb360781136d7699edf3f78aa3724b2db
Instruction ID: f4131a68d67bb9323aa4803d8f966ce502b9c75c96e84f3da77735cc6ce99e80
Opcode Fuzzy Hash: e24587058efff9457c828bb40f2a9becb360781136d7699edf3f78aa3724b2db
Instruction Fuzzy Hash: 12819A30B003168FDB58DB79D8546AEB3A6FF88208F149969D809DB394DF75EC478B81

Function 06ED925A Relevance: 2.7, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06ED92D8
$^q, xrefs: 06ED9313

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 17bf84c80eb2f5bc63500beaa3297c285a971f07aba639b668851e12a2ac551f
Instruction ID: f96318d60547a3d764a9d09caa3e40e07abe35b6dfffa6af9ddb9803044eb76d
Opcode Fuzzy Hash: 17bf84c80eb2f5bc63500beaa3297c285a971f07aba639b668851e12a2ac551f
Instruction Fuzzy Hash: 8D514C34B002059FDB94DB74D990BAE73FAEBC9708F109569D40DDB385DA34AC428B95

Function 06ED4C71 Relevance: 2.6, Strings: 2, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06ED4DD1
fcq, xrefs: 06ED4CAB

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: fa892fa9c0981884258610efc345ce04bb6baa8ceb1163f4207030eb28261450
Instruction ID: 347c5c098d59620f0e9302b56088605c41e263da5b5d51ef0583e1c7b8b3471a
Opcode Fuzzy Hash: fa892fa9c0981884258610efc345ce04bb6baa8ceb1163f4207030eb28261450
Instruction Fuzzy Hash: B0518074F002099FDB559FB5C8547AEBBF6FF88700F20852AE105AB395DA758C018B91

Function 06EC5C92 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06EC5DAA

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 116b93536489fb1042ff7309756ca14461f814d7707bd886b07e8f404e5ceaad
Instruction ID: ac488a3a185e62dc508ae7d5c387ebb874c91df08bec80d0cd99a8d8f35eb1a1
Opcode Fuzzy Hash: 116b93536489fb1042ff7309756ca14461f814d7707bd886b07e8f404e5ceaad
Instruction Fuzzy Hash: FC51B0B1D003099FDB14CFA9C984ADEBFB5BF88314F24952EE419AB210D771A895CF91

Function 06EC5C98 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06EC5DAA

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0eb4b4eeeb1110a10cafba70ed84a178cc1bbf03cf365adbc91de6353e3d8160
Instruction ID: a34701291d18e624be79ca8e47684f582e3e086b364e09cdbfd411e5c89f868c
Opcode Fuzzy Hash: 0eb4b4eeeb1110a10cafba70ed84a178cc1bbf03cf365adbc91de6353e3d8160
Instruction Fuzzy Hash: 9941C0B1D003099FDB14CFA9C984ADEBFB5FF88314F24852AE419AB210D771A895CF90

Function 06EC4B5A Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06EC4C56

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0f08bd2a976bb9f8254654d4dd769ddbfc79dc2db914b0e3156554025dcdeb40
Instruction ID: aee1e9872510a81648dd2988d8810e5dab5c9e1307f3c1808cc6c6d71b6a4d88
Opcode Fuzzy Hash: 0f08bd2a976bb9f8254654d4dd769ddbfc79dc2db914b0e3156554025dcdeb40
Instruction Fuzzy Hash: 0531ACB4E003488FCB44CFA9C46469EBBF1AF88324F10845EC019EB391D734A906CFA1

Function 06EC974C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06ECAAE9

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 07cddd55975d0d8a12ec40d9a187f6b449651c6b3ffc68a96120e525fa0a0bcb
Instruction ID: 8912d662b4bda15379d4048151ed0be613d29c92034e63d3d5c422205436bde0
Opcode Fuzzy Hash: 07cddd55975d0d8a12ec40d9a187f6b449651c6b3ffc68a96120e525fa0a0bcb
Instruction Fuzzy Hash: A7415AB59003098FDB54DF99C588AAABBF5FF88324F24C45DD419AB361D730A841CFA0

Function 06ED59D8 Relevance: 1.6, Strings: 1, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 06ED5A03

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: ab767b676cb366471a6b808265b153ecc004ba44df456295b21cd824cdc01fc7
Instruction ID: 25bc7b61ee7a2ff3697e73a09d241ac3c264d6454d493c9b58591e86374b9a06
Opcode Fuzzy Hash: ab767b676cb366471a6b808265b153ecc004ba44df456295b21cd824cdc01fc7
Instruction Fuzzy Hash: D8C19B75F002099FDB54DFA4C494AAEB7F6FF88318F208469D406AB354DA31AD46CBA1

Function 06ECB765 Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06ECB7F8

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 45811850c97f93333790857b18955bb1948ce3cb1a64a8fe11afb6117c5b1957
Instruction ID: 183e6f5f3f1488dd2ccb13b27c60150a6023e580c96da608c57a1c941bf21fa8
Opcode Fuzzy Hash: 45811850c97f93333790857b18955bb1948ce3cb1a64a8fe11afb6117c5b1957
Instruction Fuzzy Hash: 703132B0D01349DFEB24DF99D985BDEBBF1AF48324F208429E005BB290CB75A985CB51

Function 06ECB160 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06ECB7F8

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 5cdf2b35a960cdf53dcc929c8200ba22a851d1724ef125baaad688a8455a9e7c
Instruction ID: e7e62874724ac4fcdbd1d1f2107423b174c8e6150d429d4661ce4b19a4ac167d
Opcode Fuzzy Hash: 5cdf2b35a960cdf53dcc929c8200ba22a851d1724ef125baaad688a8455a9e7c
Instruction Fuzzy Hash: 4E3100B0D01309DFDB50DF99CA85BDEBBF5AB48314F208029E405BB290DBB5A949CB95

Function 06EC9B96 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06EC9C1F

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d807bd6f306615b49483584d336009b51e843d4672f8c70c1b670a1e43e24675
Instruction ID: abaef4adda1db64913e78aa9b1d0be4a386ec58a2f6dab179aac585db676adcd
Opcode Fuzzy Hash: d807bd6f306615b49483584d336009b51e843d4672f8c70c1b670a1e43e24675
Instruction Fuzzy Hash: 5E21E6B59003499FDB10CFA9D984ADEBFF9FB48320F14841AE918A7351D374A954CF61

Function 06EC9B98 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06EC9C1F

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a340fb1cb26e054a69b59c774f746e6629d7ca738600143ea3d0ec49cf5355f2
Instruction ID: e91fd6c61f6d5e1dbd55f802c20ba6747298bea658eea33262495405a12bdbff
Opcode Fuzzy Hash: a340fb1cb26e054a69b59c774f746e6629d7ca738600143ea3d0ec49cf5355f2
Instruction Fuzzy Hash: 5521E4B59003499FDB10CFAAD984ADEBFF8FB48320F14841AE918A7351D374A954CF60

Function 06ECD2A8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06ECD32B

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: b1394c144c693b91d7aba6ea8a6701786e4357355f423c56785a0a1c4165fd24
Instruction ID: ad4f145b80a9688e3a86b60ce5866319dc7659bb72853d4881ed2f511cd81ba1
Opcode Fuzzy Hash: b1394c144c693b91d7aba6ea8a6701786e4357355f423c56785a0a1c4165fd24
Instruction Fuzzy Hash: B92137B1D002099FCB14CF9AD944BEEFBF5AF88320F10842AD419A7250C7756944CFA1

Function 06ECD2B0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06ECD32B

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: f7abce647ce5bbdefbcc479cc284c50d22951800411c024f28b05a793fb44a76
Instruction ID: c77a05c39e96a0841116d3f4e826eee1a776d46844fab0675ce55ea002fa9181
Opcode Fuzzy Hash: f7abce647ce5bbdefbcc479cc284c50d22951800411c024f28b05a793fb44a76
Instruction Fuzzy Hash: 7E21F4B1D002099FCB54DF9AD948BEEFBF5EF88324F10842AD419A7290C775A945CFA1

Function 06EC4BEA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06EC4C56

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8a0b66847c63839ac90267b37b107c0fef766fac4277404eb952e9a0017965d6
Instruction ID: fd0e02f268fe692cefd7ccf80e6de3106f7f3f3fd16fc046a69961391bdc17eb
Opcode Fuzzy Hash: 8a0b66847c63839ac90267b37b107c0fef766fac4277404eb952e9a0017965d6
Instruction Fuzzy Hash: 8A11EFB5C003498EDB20DF9AC944ADEFBF9AB88324F10841AD469A7250C375A545CFA1

Function 0187EE58 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 0187EEBF

Memory Dump Source

Source File: 00000013.00000002.2975467867.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1870000_sgxIb.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 386d287769aa437deccf1433ca2d5c4cf1eea0ea5b4bb3b7f2fa78be7243c9f4
Instruction ID: 84ee52f209e562deecaf35bddc8c586883e326afd0cda365e53751e0cf2de139
Opcode Fuzzy Hash: 386d287769aa437deccf1433ca2d5c4cf1eea0ea5b4bb3b7f2fa78be7243c9f4
Instruction Fuzzy Hash: 541123B1C002599BCB10DF9AC444BDEFBF4EF48320F11856AD918B7241D378AA44CFA1

Function 06ECB621 Relevance: 1.6, APIs: 1, Instructions: 51comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06ECB67D

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d99d6f5beba9e46f90d3f20649dce3dfb754d91ef91cb36fcedfca9a34cf8573
Instruction ID: c919e6897a8d69b1dafb2bdb5f4c1e65812ed67285ed2c310593e787fdccc971
Opcode Fuzzy Hash: d99d6f5beba9e46f90d3f20649dce3dfb754d91ef91cb36fcedfca9a34cf8573
Instruction Fuzzy Hash: 741166B19003488FCB20DFAAD449BDEFFF8EB48320F14845AD518A7201C375A584CFA5

Function 06EC3714 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06EC4C56

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 315185b8cb9ba691508a8833510ec0aed6de366d193a1211b6747b6913717de2
Instruction ID: 2bded12250c1dabd0c4c88a76ce5834496c8c47ca1b73c6c9447eda12e940b6e
Opcode Fuzzy Hash: 315185b8cb9ba691508a8833510ec0aed6de366d193a1211b6747b6913717de2
Instruction Fuzzy Hash: 4811F0B5C00349CFDB10DF9AD544ADEFBF4EB88224F11841AD429B7250D375A546CFA5

Function 06ECB03F Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06ECB67D

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e09c95f07f73fd0cd5eb61e8368030d1ca3339e5c3bc4a961956d9e20fc267c1
Instruction ID: ef75368af54cf07d52ddd40fbb6c9ca8314e177569d4b50d55b93c47c5b7d7c6
Opcode Fuzzy Hash: e09c95f07f73fd0cd5eb61e8368030d1ca3339e5c3bc4a961956d9e20fc267c1
Instruction Fuzzy Hash: 721148B1C107498FCB20DF99C945BDEBBF4EB48320F20845AD519A7310D375A944CFA5

Function 06ECAD59 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06ECAD35), ref: 06ECADBF

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c73a0bf280ee4fe874a62c909ab155aee275a7a725fd3c3233bed1cf2fa63252
Instruction ID: b86718fb71cfb09341a6bccd21c81943e279dab87f4106aab17e9cea1d8ec6c5
Opcode Fuzzy Hash: c73a0bf280ee4fe874a62c909ab155aee275a7a725fd3c3233bed1cf2fa63252
Instruction Fuzzy Hash: 261103B58003498FCB20DF9AD945BDEBFF8EB48324F20841AE519A7250D775A544CFA5

Function 06EC97A4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06ECAD35), ref: 06ECADBF

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 80a41a2d32826d729b7e10c6617bfd61b3cfa2c6b2fd801090891ed6354087f9
Instruction ID: da550a73ab56dc456fe6f6f7b75bdea29c800e681697ec30d3dc40a3042431a8
Opcode Fuzzy Hash: 80a41a2d32826d729b7e10c6617bfd61b3cfa2c6b2fd801090891ed6354087f9
Instruction Fuzzy Hash: 6B1133B08003498FCB20DF9EC549BDEBFF4EB48324F20842AD919A7240D774A944CFA4

Function 06ECB048 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06ECB67D

Memory Dump Source

Source File: 00000013.00000002.3023267983.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ec0000_sgxIb.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 29c4b425a2f038b35f5a1eea9c40be12d944d01cfba3e741d3a1d371c614ca3c
Instruction ID: 5ffdfb29b6df7371cbace0f400bb94b8ee8d985982c1887cf3a0d18783d4a994
Opcode Fuzzy Hash: 29c4b425a2f038b35f5a1eea9c40be12d944d01cfba3e741d3a1d371c614ca3c
Instruction Fuzzy Hash: 7B1142B08007488FCB20DF9AC949BDEBBF8EB48320F20845AD519B7300C378A944CFA5

Function 06ED58B3 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

$, xrefs: 06ED5A03

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: b33b6d5c32bb2c919b94c58854b2b675d4e4742d502df5c290d4dbceb2f4ea90
Instruction ID: 5dc11c33087c1e42e00af539bf67a033ffd188b90085e87ac3053402cd0a14a4
Opcode Fuzzy Hash: b33b6d5c32bb2c919b94c58854b2b675d4e4742d502df5c290d4dbceb2f4ea90
Instruction Fuzzy Hash: 63B1AD75E002198FDB54DFA4C4846EEBBF2BF88324F248569D499BB344DB31AD42CB91

Function 06EDDBF8 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06EDDD41

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: a0f57d569d9f8b44ad718eba25049f10ed4eb70d64df66c1f53b28c00430e859
Instruction ID: c70fa92cd4084f82a5657ffe39ea174106ba3c9b83b9315d66ed3697a52193cf
Opcode Fuzzy Hash: a0f57d569d9f8b44ad718eba25049f10ed4eb70d64df66c1f53b28c00430e859
Instruction Fuzzy Hash: 21418E70E0030A9FDF61DFA5C85479EBBB2FF85304F208929E805EB240DB70A946CB91

Function 06EDDBE5 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06EDDD41

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: dbd2887ea3f282bea7c337ae35da373f24bc83e8697b997ff2bba2bc9a763630
Instruction ID: e8e4925f178278bf5332472028cb0089d03a7d67135baba8ecc03f4af9723c85
Opcode Fuzzy Hash: dbd2887ea3f282bea7c337ae35da373f24bc83e8697b997ff2bba2bc9a763630
Instruction Fuzzy Hash: 58419D70E007099FDF61DFB5C88469EBBB2FF85204F14992AE805EB240DB71A847CB91

Function 06ED21D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06ED230B

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: d99e9dbb95b7d3c337e2e1bcf9448f9515103974d1486dd5b43eee146731a3c4
Instruction ID: 605afb3309a86aba9f04c017e2e475246e86455f027eab9b3c29db49ba71f420
Opcode Fuzzy Hash: d99e9dbb95b7d3c337e2e1bcf9448f9515103974d1486dd5b43eee146731a3c4
Instruction Fuzzy Hash: 0A31CF30B103058FDB599B74C51866F7BE3AF89218F209429E60ADB385DE35DE46C7A1

Function 06ED83E8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 06ED8433

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: b02a9937d2f76327e9ecfc22649168c07a49ed58034a71959fd2dc89d0115000
Instruction ID: 9e9220752c735c02e58131d983cd7a5285f7370fb0fc0d15a82704d69c63e14d
Opcode Fuzzy Hash: b02a9937d2f76327e9ecfc22649168c07a49ed58034a71959fd2dc89d0115000
Instruction Fuzzy Hash: EAF02231B00315CFDF649A88F9412BA73AEFB84308F1064A6D908CB250CB75ED03CB91

Function 06ED4B69 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06ED4B75

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: 5538548f766fd0bbc57837dbe7b13b24b2d59119853d41b77bf5801aa93f3942
Instruction ID: 6074d2079025097aa8acb40cc067d0b846e54ecfa3372e8473557ed738c861b1
Opcode Fuzzy Hash: 5538548f766fd0bbc57837dbe7b13b24b2d59119853d41b77bf5801aa93f3942
Instruction Fuzzy Hash: 36F0DA30A10219DBDB14DF94E959BAEBBB2FF98704F204519E002A72D8CB701C02CB80

Function 06EDB341 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75630f0381da80ff406aef3cc06fc4bdc778b53f708a34d0a16729d1eddc8357
Instruction ID: b638d878f93ef6877f455b5edea5bc30af809fc1c08b0edcae28bb63a5895a3f
Opcode Fuzzy Hash: 75630f0381da80ff406aef3cc06fc4bdc778b53f708a34d0a16729d1eddc8357
Instruction Fuzzy Hash: 97B1A7B4F103099BEF64CB68C4947AEB7B6FB89314F215425E409DB381EB38DC829752

Function 06EDB350 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31a41b4c93281b9744304c025625582202d86c2fbdab0be98013c3e86d9a0ed
Instruction ID: 4f03a8d11dd12ee31846f94b124da9cacd8b120e3243b45df3d1b051f030b4e7
Opcode Fuzzy Hash: c31a41b4c93281b9744304c025625582202d86c2fbdab0be98013c3e86d9a0ed
Instruction Fuzzy Hash: CBB195B4F103099BDF64CB68C4947AEB7B6FB89314F215425E409DB391EB38DC829752

Function 06EDB9ED Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2d33e11cea15b1c0e3ee8aecc20df34daa342cdec0dfc468317442972dab31
Instruction ID: 6a5190838fd7e78047bfdfca4710fb1680296def1dd6d3179d68aca73b7235b7
Opcode Fuzzy Hash: 2a2d33e11cea15b1c0e3ee8aecc20df34daa342cdec0dfc468317442972dab31
Instruction Fuzzy Hash: 66A14AB4E102098FDFA0CF58D484BADB7B1EB45318F25A926E419DB295EB34DC82CB51

Function 06ED6308 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6498b6db0dad497ebe66221adcf3f4c6e947548e8c1857739895e56f5dfb315
Instruction ID: fc0a0cc50ec8d8d37d9d0643572ad496f68c318950d78a7d919d0c11c76d2352
Opcode Fuzzy Hash: f6498b6db0dad497ebe66221adcf3f4c6e947548e8c1857739895e56f5dfb315
Instruction Fuzzy Hash: E261B271F001214FCB549A7EC84866FAAD7AFC5614F15443AE80EDB364DE65ED0387D2

Function 06ED43B9 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04bc88688b77a0761d54401551924bb0d57b2b508ddd9357d430b24564a03e7
Instruction ID: c80fc9561a2e45cadc929738611c0770caacff955994aa0a9107d42808264656
Opcode Fuzzy Hash: c04bc88688b77a0761d54401551924bb0d57b2b508ddd9357d430b24564a03e7
Instruction Fuzzy Hash: B7815C74B102099FDF44DFA8D4546AEB7F6AB89308F209525D41AEB394EF34EC438B91

Function 06ED43C8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209d5ee78af6129d192afe48b3a4b2a2a45648b7b561d3f03631359e4bd40a66
Instruction ID: 5874c155999d0bac0ac682144b292ed232882f4553c45285078f15f302d59296
Opcode Fuzzy Hash: 209d5ee78af6129d192afe48b3a4b2a2a45648b7b561d3f03631359e4bd40a66
Instruction Fuzzy Hash: FE814D34B102099FDF44DFA9D4546AEB7F6AB89304F109525D41AEB394EF34EC438B91

Function 06ED46D4 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4268186cafd52c5ba574d1abd5ed10c6d43d7ea4f1b6e87bf921a99bad31f0
Instruction ID: a964765003fc151318e2463294133ca29dcbb91b43ebbf0fc2d8ec15f25f2930
Opcode Fuzzy Hash: bb4268186cafd52c5ba574d1abd5ed10c6d43d7ea4f1b6e87bf921a99bad31f0
Instruction Fuzzy Hash: 06915E74E0031A8BDF60DF68C88079DB7B1FF99304F208595D54DBB285EB70AA86CB91

Function 06ED46E8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151385d057d2d0098e9dc2a31664573b2a10fde04ab4be520bf314e74063d73b
Instruction ID: ab9a3d229dee2da0ea7891a9c8894928eddeea182c669399cc865c5e8924e34d
Opcode Fuzzy Hash: 151385d057d2d0098e9dc2a31664573b2a10fde04ab4be520bf314e74063d73b
Instruction Fuzzy Hash: 5E913D74E1021A8BDF60DF68C880B9DB7B1FF99304F208595D54DBB285DB70AA86CF91

Function 06EDF048 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2a02639c9ec55cfd5e258e181b88d25573ac0ec178aa115923a15e7c44d304
Instruction ID: 5db088e61733b98c433dfbf7eed88ab3965ef9b52f601be0cc8dabea5435003f
Opcode Fuzzy Hash: dd2a02639c9ec55cfd5e258e181b88d25573ac0ec178aa115923a15e7c44d304
Instruction Fuzzy Hash: 7A714970A002099FDB44DFA9D984AADBBF6FF88304F249429D40AEB355DB30ED46CB51

Function 06EDFA78 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af4f61dfe1aa55ac221d67fe86dfc9e0f2e4f5fed795d4c5afef7612cddc701
Instruction ID: 2e91a0a35293ae59e89aed9d61ba5f351a85914b568c9edc5d5e63b05535e5cf
Opcode Fuzzy Hash: 9af4f61dfe1aa55ac221d67fe86dfc9e0f2e4f5fed795d4c5afef7612cddc701
Instruction Fuzzy Hash: 4151C670B203159BEF64967CD85476F2A9AD789315F20442BE50FCB3D5CE6DCC829392

Function 06EDFCDB Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd773aabdb58867bb99b71102136dafc924d453bf92580df9b0816d2cc2a6e19
Instruction ID: 9637558da2557c0beac370f31d4f781e39ba0b5e0e76a0b26d2f80363fd8c399
Opcode Fuzzy Hash: fd773aabdb58867bb99b71102136dafc924d453bf92580df9b0816d2cc2a6e19
Instruction Fuzzy Hash: 0151D331E00205DFCF14EB79E4486ADB7B2FF84329F20886AE40ADB251DB318C46CB81

Function 06ED56B0 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4b270d32861957c8e7c47399cdd8b787360a6ec6800a1695f83ae3842e3f8e
Instruction ID: 4ff23c9d3f2c0069ab98b0f75a4d020535b53b8b71d794996b62d5421216903d
Opcode Fuzzy Hash: aa4b270d32861957c8e7c47399cdd8b787360a6ec6800a1695f83ae3842e3f8e
Instruction Fuzzy Hash: 07519035E14305DFDF608F69C48077EBBB2EB45318F20997AE56ADB281C635E842CB91

Function 06EDFA88 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7916670a62337acd168f5ecf9fb19ca70c1f73e69dafda58a829cd66acba78e
Instruction ID: 2b09661955b48d67b9dee6a039ad1472fb5c3b3fa565d99c9a64d28c75ecf07c
Opcode Fuzzy Hash: a7916670a62337acd168f5ecf9fb19ca70c1f73e69dafda58a829cd66acba78e
Instruction Fuzzy Hash: E551C5B0B203159BEF649A6CD89876F269AD78D315F20442BE50FCB3D5CE6DCC825392

Function 06EDC908 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e24feb686e2288e9ab57144ee7f1d90fcb1c20d7dcc40ced280c43a1d0a922
Instruction ID: b57d9afa0529823cb89ca5e436fdfc46f49c4ca0bb09ad72649b57c15ac2b7e7
Opcode Fuzzy Hash: e4e24feb686e2288e9ab57144ee7f1d90fcb1c20d7dcc40ced280c43a1d0a922
Instruction Fuzzy Hash: 7051AF31B003198FCB54EB79E48499DB7F6FB89354B208929E409EB345DB31ED42CB80

Function 06ED5538 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256d82f40aca334a8d91753f919a8ea9c0f5d5d5129394429030ff1c82165cda
Instruction ID: 72193bf9a2ee0aaadf9aeedaf543c3951ba04d54386a6f383b32790d58865b05
Opcode Fuzzy Hash: 256d82f40aca334a8d91753f919a8ea9c0f5d5d5129394429030ff1c82165cda
Instruction Fuzzy Hash: BC413871E107098FDF60CFA9D880AAFFBB6FB84314F10492AE156D7640D731E8468B91

Function 075B2139 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b5b03f7ec1559d1ed0605107d49e1c802a0c92091d1ae5b32e9e0fff6fd1d7
Instruction ID: 06b29b7895a999790fd58aad1f915dc47140dfc2e0e91f895f366af09a0d6b6d
Opcode Fuzzy Hash: 39b5b03f7ec1559d1ed0605107d49e1c802a0c92091d1ae5b32e9e0fff6fd1d7
Instruction Fuzzy Hash: CB4160B1A007099BDB14DFA5C8546EDFBB1FF88300F14C65AD409BB264EB71A981CB91

Function 06EDDA98 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cefd5a0a3056d7c328bdf73743497fe0476e57890d69ae7c958c1d53b918036
Instruction ID: b22942d0ae838d3bd1c42f4343bc3d46ae02044dc7829baeab8fcf8c2a5025ac
Opcode Fuzzy Hash: 8cefd5a0a3056d7c328bdf73743497fe0476e57890d69ae7c958c1d53b918036
Instruction Fuzzy Hash: 4B31C671E1031A9FCF25DF69D88469EBBF2FF44308F108929E409AB244EB70A8478B40

Function 06ED2080 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d8db83370e2a9860548f69843ee0002abe7ac82565db56af6b2565f06a850e
Instruction ID: 0c01c5a716bc890a530bbd77c6c62e169ddacb171815889ba00733515c5f6bb1
Opcode Fuzzy Hash: a3d8db83370e2a9860548f69843ee0002abe7ac82565db56af6b2565f06a850e
Instruction Fuzzy Hash: 2E318B35E106069FCF15CFA4D89469EB7B2FF89304F108529EA06EB384EB71A946CB51

Function 06ED2090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c569ce0dc94405d4b3375f98c862fabfefe90db9811fd59190e018ac56a9c2a
Instruction ID: fdd1f6a6ce6afecb65304d4c4a2ca0d09fb13b822331f0ad05764da0c9879567
Opcode Fuzzy Hash: 9c569ce0dc94405d4b3375f98c862fabfefe90db9811fd59190e018ac56a9c2a
Instruction Fuzzy Hash: 4C314D34E1060A9FCF59CFA5D89469EB7B2BF89304F10C529EA06EB340DB71AD46CB50

Function 075B0C30 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f43e57a39f8eeeacc9385cccceb726537ad8ffd44860242eebbbd54060ffc95
Instruction ID: 1b4764c304b46f6f12dd93c8a2c5de7fe1030c53412eaa222a5ccd81c3d79829
Opcode Fuzzy Hash: 7f43e57a39f8eeeacc9385cccceb726537ad8ffd44860242eebbbd54060ffc95
Instruction Fuzzy Hash: CE313CF0A01A0A9FD764DF6AC494ABAFBF5FF88710B14C969D41997610EB30EC41CB90

Function 06ED3FC1 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05a45e6338a4692237b6bc895a55f85e136bd86d74cf5da7b761e23f3cf4ee2
Instruction ID: 148810dd5c58691a8d500baeda72913e85ca13805282073feb18ec61af03ba63
Opcode Fuzzy Hash: c05a45e6338a4692237b6bc895a55f85e136bd86d74cf5da7b761e23f3cf4ee2
Instruction Fuzzy Hash: 41216B75E002159FDB50CF69D941AEEBBF9EB88310F108025E905EB380EB35D9028B92

Function 075B1B3A Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b4bd04f4287bfac1463dbbafdab536acdd8a323a4b34da8e84bde765341a6b
Instruction ID: 0f2d94d08a28d69be3be1a618d244603e77f9e39dcfa07c8df4d1932ed762d44
Opcode Fuzzy Hash: 52b4bd04f4287bfac1463dbbafdab536acdd8a323a4b34da8e84bde765341a6b
Instruction Fuzzy Hash: 5E316FB0A01A069FD764CF2AC494AEABBF5BF88710B14C569D4099B610E730EC42CB90

Function 075B2990 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d01aa893c87ff42e06ccf589a83ae5da3f6d6666a97a3cb333bca27d7153ee0
Instruction ID: 5e5a3c4e45965621ccdb51614a6d0b90e1d31638d3f88a52abcaf9bc5b362f31
Opcode Fuzzy Hash: 7d01aa893c87ff42e06ccf589a83ae5da3f6d6666a97a3cb333bca27d7153ee0
Instruction Fuzzy Hash: 6C21C7B47102158FCB14DB79E8987BE77AAEB88311F20402DD50AD7350DF39AC42CBA2

Function 06ED3FD0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd0c2a14bd3218de33fc707fbe5cc402df9ee662f765ab9b3885be236c386f1
Instruction ID: 7980bf44e93094db69141706bc4536bcc945c4e9079eb92d2b2ccfa1d5f6a77c
Opcode Fuzzy Hash: 8dd0c2a14bd3218de33fc707fbe5cc402df9ee662f765ab9b3885be236c386f1
Instruction Fuzzy Hash: 0C216B75E002159FDB50CF69D981AEEBBF9FB88754F109025E905E7380EB35ED028B92

Function 075B29A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4291d15753029b2dc5b530a519ed41fb74fb7fb590bd80b34fd5fa44829eae0
Instruction ID: c6acc5891e567c44303136378702fe5193bf044f6ae431dbfa318dba08b7a03c
Opcode Fuzzy Hash: b4291d15753029b2dc5b530a519ed41fb74fb7fb590bd80b34fd5fa44829eae0
Instruction Fuzzy Hash: A82195B47102169FCB14DB79E848B7F77AAEB88311F204029E50AD7350DF799C42CBA2

Function 06ED3508 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e45ba8cf9b4283ce4f5539527e1ab7fe96541d84d6406d5eb8ccb8a1202a0a
Instruction ID: 06f56a0786a0220435d2f5070b60bf5211e6202c6f67b56b6f10b99ebc4ac7bb
Opcode Fuzzy Hash: 42e45ba8cf9b4283ce4f5539527e1ab7fe96541d84d6406d5eb8ccb8a1202a0a
Instruction Fuzzy Hash: 3221F371A043544FCB15DB78C8545CEFBB5AF8A314F0455ABD015EB291EA30D946CBE2

Function 017ED1F8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2974627451.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_17ed000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff4936c54416d4864860625690a2e2db9ff7f9170460def7316434f8172880c
Instruction ID: 8e808ad796da632fb13a6828bd01e5dfde6766a903898b62e3d0ca9e11999a84
Opcode Fuzzy Hash: 1ff4936c54416d4864860625690a2e2db9ff7f9170460def7316434f8172880c
Instruction Fuzzy Hash: 4A21D7B1508244DFDB25DF58D988B26FBE9FB88334F24C569D8090B246C376D406C661

Function 017ED3A8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2974627451.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_17ed000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea729a3de3a504d190e4a16205491faac143fcb1a8ad0481e2a991c1e929ac44
Instruction ID: 899ec6628e258e8596f5fa4152b9fa5cad85b653fbc7a8c22c358eb376841629
Opcode Fuzzy Hash: ea729a3de3a504d190e4a16205491faac143fcb1a8ad0481e2a991c1e929ac44
Instruction Fuzzy Hash: 482103B5604200DFCB25DF58D5C8B25FBE5EB98314F20C5ADDD0A4A252C336E806CA61

Function 017ED030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2974627451.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_17ed000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8da7f9da53c7a31a2bb5f2b84fc6e0b99e410f3d24fe4291e5a8e906e7551dc
Instruction ID: a509b0a795766ac7d420ca2ad846e95cde7acf7e73c835b9d0170135f57d26cf
Opcode Fuzzy Hash: c8da7f9da53c7a31a2bb5f2b84fc6e0b99e410f3d24fe4291e5a8e906e7551dc
Instruction Fuzzy Hash: 7621D3B5604204DFDB25DF58D9C8B26FFE5EB88314F28C5ADD90A4A292C336D446CA61

Function 06EDB038 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143c0b5124c869a2a232fdbcca3cf988f56f76854372319204f15f769959ae5b
Instruction ID: 793a80db2897291fb7d401f49f225b2bde85e6c864a5729750e4adfa90016098
Opcode Fuzzy Hash: 143c0b5124c869a2a232fdbcca3cf988f56f76854372319204f15f769959ae5b
Instruction Fuzzy Hash: 462150B1D1071E8BDF64CFA9C84469EBBB5FF85344F15892AD809EB240FB709846CB81

Function 075B1E44 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d20e267a24b960cc4b948c944757376a1bdc471c99f3e1eb34e1bcffbfdd8e2
Instruction ID: df6fe8ed2cc1dacc35d5cb66ef2bfcdbf11d6d88ccc42968f882b8b6ed42dedb
Opcode Fuzzy Hash: 6d20e267a24b960cc4b948c944757376a1bdc471c99f3e1eb34e1bcffbfdd8e2
Instruction Fuzzy Hash: 1F31CFB0D01218AFDB20DF99C599BDEBBF5BB49310F24841AE409AB290C7B59945CFA1

Function 075B24BC Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c723e54d746c7d96b4113e47b87ca1cce4bc233bac10547f35a83f233a3edbd6
Instruction ID: 8f37285ce94bfc1e5d07b6814c9fdcb8eab10cfe1fd117f8e456ac936f1a8a31
Opcode Fuzzy Hash: c723e54d746c7d96b4113e47b87ca1cce4bc233bac10547f35a83f233a3edbd6
Instruction Fuzzy Hash: 0A31D2B0C01218DFDB20DF99D999BDEBFF5BB49314F24841AE404AB290C7B59945CFA1

Function 06ED6E30 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39744b3f94187b7712b23d6bf114f5463abe666276283f39561908a1fba9e286
Instruction ID: 7b8154eeb9f81e1a1dcf8c9f094b0f61dbfe3bc3ee3cb6dc20b8c469e6136315
Opcode Fuzzy Hash: 39744b3f94187b7712b23d6bf114f5463abe666276283f39561908a1fba9e286
Instruction Fuzzy Hash: AE21B130B102199FDF44DB69E8546AEB7B7EBC8314F249525D809EB340DB30ED428B84

Function 06EDA420 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2ce79e3fef6fa986399022d6ece0184a2264834e6eea08002d4997c4b6ae8e
Instruction ID: b78ad30190d485c13d0fd60967a47fc42bdf24a16a503f1a13167b5a22df43e8
Opcode Fuzzy Hash: 8c2ce79e3fef6fa986399022d6ece0184a2264834e6eea08002d4997c4b6ae8e
Instruction Fuzzy Hash: 9E112232F002101FCBA1D6ADE8542AE73E5EBC961CF10987AE00ECB340DE25DE438381

Function 06ED40E0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70ebbf74f355087bc64b32c14278925184aceb7dc44bf6abe67667ecb67c77c
Instruction ID: c301c57005185aa81fd60ad7542618fc6617a07f8a616b400a1a6ba9d66542f2
Opcode Fuzzy Hash: c70ebbf74f355087bc64b32c14278925184aceb7dc44bf6abe67667ecb67c77c
Instruction Fuzzy Hash: 88118E36B142259FDB549668DC146EF73FAEBD8314F05443AD40AE7380EE749C068BD2

Function 06EDF2B8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cab8b5d31a9dc89dc28db9e498eadf5ce0f17fc09e6d3d0b7a54b090d68380
Instruction ID: 7582b95ba2b97b8f07e0e760cb6abb74c68f8220a65b566bfa56ee79f5b38887
Opcode Fuzzy Hash: 59cab8b5d31a9dc89dc28db9e498eadf5ce0f17fc09e6d3d0b7a54b090d68380
Instruction Fuzzy Hash: C2012431B002901FCB66D67EA81876E77D6CBCA618F14446AE40ECB341DE15DD434396

Function 06ED3570 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08a63ffca500e21be25d74436c3d3524960ef653265911e09131a8fe8fc0f2e
Instruction ID: 65d3a1cf68cba919c2cd429e26bc431144ffb55a2fff3c37a3c7677ad1912555
Opcode Fuzzy Hash: c08a63ffca500e21be25d74436c3d3524960ef653265911e09131a8fe8fc0f2e
Instruction Fuzzy Hash: 8111A071E003185BCB54DB78C8445DEFBB5AB8A310F1494AAD006EB240EA30DA42CFD2

Function 06ED3D99 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5aca716344629c6c96ea56b26013aedc5b266433ff987a1ffe63af603e0070
Instruction ID: 79c439ad565ac923b22d9ab9e00ce5c969908c51d80565eccbc9c760d6edfccb
Opcode Fuzzy Hash: 8c5aca716344629c6c96ea56b26013aedc5b266433ff987a1ffe63af603e0070
Instruction Fuzzy Hash: BA21F2B5D01319AFCB00DF9AD985ADEFFB4FB08310F10812AE918B7240D374A954CBA5

Function 017ED02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2974627451.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_17ed000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 8a25fb83df69086a57734dfe000e40f7b4800f0e9759b684aba7eb309c63aedf
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 5811BE75504284CFDB22CF54D5C8B15FFB1FB88314F28C6AAD8494B696C33AD44ACB61

Function 017ED1F3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2974627451.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_17ed000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
Instruction ID: 596d0fa3198c29e902aeb3f10a3c40c5e418b38d7fdb6a4165158463aab43cbf
Opcode Fuzzy Hash: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
Instruction Fuzzy Hash: 5911C475508280CFDB12CF58D5C8B15FFB2FB88324F24C6AAD8494B656C33AD40ACB91

Function 017ED3A3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2974627451.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_17ed000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: dd3fc3f9696aef7042bd96eb0f6dd255b83116a61ecdbdc981833a245fe4554b
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: AC11BE75504280CFDB12CF54D5C8B15FBA2FB89314F24C6AEDD494B296C33AE44ACB52

Function 075B16F1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb55e2fee3249462a0464656e86233fe0a20bf0cc8dc5b6a3461dedf8c250627
Instruction ID: a88e2f978a323a25443e5433586b948cac11d99f4e32663d910268aaad2213e0
Opcode Fuzzy Hash: bb55e2fee3249462a0464656e86233fe0a20bf0cc8dc5b6a3461dedf8c250627
Instruction Fuzzy Hash: 911102B4609B059FD3B48B28A4985F67BA6FB56700B04884ED047C7641DB35EC018B80

Function 06ED3DA0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88fa213ee415f2179475bcc3dd870565bda6d0c0afe11fcf7091e47ae07b8b8d
Instruction ID: 5af5a81989c614d4ae02915f67213a2c3e0404ee3687c78fd6a428f00d1f1cc4
Opcode Fuzzy Hash: 88fa213ee415f2179475bcc3dd870565bda6d0c0afe11fcf7091e47ae07b8b8d
Instruction Fuzzy Hash: 3111CFB5D01219AFCB10DF9AD884ADEFFB8FB49310F10812AE918A7241C374A954CBA5

Function 06ED4328 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb63d4efd15cccaac0b758df777629b0a2eb9ea66b926f762fffc119cceac7d
Instruction ID: 8892c7ee9baeb490c3cdf139e75dccd4d6313a5b3fb3404a0b793067509255f6
Opcode Fuzzy Hash: 6cb63d4efd15cccaac0b758df777629b0a2eb9ea66b926f762fffc119cceac7d
Instruction Fuzzy Hash: 4301D131B201215BDB64956EA40972FE3DADBD9718F20983AE00EC7384DE75DC034385

Function 06EDF2C8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59628c68a42b738c0847007dd012e7bb48aeec720a4ec34dcaf84eb685a0318
Instruction ID: 6cb2eeaad1fb324e481129f5ad675c864bfb9869e455c4d172993cd8c622fe78
Opcode Fuzzy Hash: b59628c68a42b738c0847007dd012e7bb48aeec720a4ec34dcaf84eb685a0318
Instruction Fuzzy Hash: CB01DC31B002141BCB64EABEA454B2E63DADBC962CF208839E00ECB340DE25DC834386

Function 075B0C04 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791b618d8397cbd7ffcf398c13714f5a123af122f0f548d033f3cd80930da622
Instruction ID: 935bf88a170a016ab379a6da82550e35841048844cfbbfaad5e512c29ee822f6
Opcode Fuzzy Hash: 791b618d8397cbd7ffcf398c13714f5a123af122f0f548d033f3cd80930da622
Instruction Fuzzy Hash: CC019EF8215B059BD3B48B2995A85F77BEAFB8A710F108D1DE44787641CB75EC018B40

Function 06EDA430 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722158844347d97ef7c5d75f93b9b9574f3688528d9730d7a461d648f747b8c4
Instruction ID: c8dfeaf8d32f8d7dca3f1f79e2780f718d0e5d0643f8dbdb0480072658aab923
Opcode Fuzzy Hash: 722158844347d97ef7c5d75f93b9b9574f3688528d9730d7a461d648f747b8c4
Instruction Fuzzy Hash: 8301D130B102211FCB65DA7EE44872A73DAEB8971CF109438E00ECB340DE25ED438785

Function 075B193B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56587144f57a324914ed9dce66a025be82ed39214a4b750451c264ff84a0bf10
Instruction ID: 8f150102f8afb0a9749164bbef5e84e28804e1c7fa8204ca245a999b0d938728
Opcode Fuzzy Hash: 56587144f57a324914ed9dce66a025be82ed39214a4b750451c264ff84a0bf10
Instruction Fuzzy Hash: 97F0B471D04744EFCB318F7898004EAFFF9AF49200B0085ABE451C3601C734D948CBA1

Function 075B1948 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658ae373d41f690092b44af8bc0b6e0dc82bdce75b9bd472c65652299dbbebe1
Instruction ID: 47ea90b0c8ee03e26d6bd344eee789af250abaa84e1b170be28ff3d06a3c0d75
Opcode Fuzzy Hash: 658ae373d41f690092b44af8bc0b6e0dc82bdce75b9bd472c65652299dbbebe1
Instruction Fuzzy Hash: 8FF01CB5E00718EF9B34CFA998004EAFBF9FF48610B00856AE45593600D731E9148B90

Function 06ED6588 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341db9ea94e567d2537e0e82231baf2f83e94d5d52908aa78bed71c3a2abf98f
Instruction ID: 0b7fafee8e396eda742d50ef9f6c43c392d50294921ee8ac29cb65bc7d4899cc
Opcode Fuzzy Hash: 341db9ea94e567d2537e0e82231baf2f83e94d5d52908aa78bed71c3a2abf98f
Instruction Fuzzy Hash: 5DE0D871D143449FDFA0DB74CA0539D37A59B42208F2448E6C408DB20AF175CE428781

Function 06ED6598 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fbe91d45b4951909707f0a863feff4f7aff157cf502dab239eb20b0e46dfe4
Instruction ID: 4b020afda07c8419cc371cb6dbc6acb0b78fe648b548e3310b0f93bdef3a333d
Opcode Fuzzy Hash: e1fbe91d45b4951909707f0a863feff4f7aff157cf502dab239eb20b0e46dfe4
Instruction Fuzzy Hash: 18E0C270E10308ABDF60CEB8CA0575E73ACE70220CF2088A4D408CB206E272DA428780

Function 075B199C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6011eac5f8262e55ae7ee41660ac2605df3d6984d2ea3a50bf2aa7e92adfe1a
Instruction ID: ad8337858f6c66824150440df505a5b03fa5936e1e648aae118379634b876edd
Opcode Fuzzy Hash: a6011eac5f8262e55ae7ee41660ac2605df3d6984d2ea3a50bf2aa7e92adfe1a
Instruction Fuzzy Hash: D9E01A7A10028AEFCB169FA0C455CD5BFB2FF563107088898E4898F132C732E565EF00

Function 075B16C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b2095fda8849f6ce01152f860d0892cc72e499b149f7ff81dae7e6eec7c794
Instruction ID: 10db6875062fa039d0a3c11f23ac74dd736b395890437fbc517d8e4f337dd5c8
Opcode Fuzzy Hash: 49b2095fda8849f6ce01152f860d0892cc72e499b149f7ff81dae7e6eec7c794
Instruction Fuzzy Hash: 1CD022B220C26823EA2430A8B4112FF7B8D8B81624F0000A3D00CC7A81CD8DCC824AFB

Function 075B1B0A Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b9ab2126721052ee6253643a8cbc772dff4e5283271bf7f1967cceaf22e861
Instruction ID: c1d79c91ad9b4aacee2ff3b826957a3de39a0ab6d645068de3da36eddaa98d64
Opcode Fuzzy Hash: 32b9ab2126721052ee6253643a8cbc772dff4e5283271bf7f1967cceaf22e861
Instruction Fuzzy Hash: 1BD0127261826527DB182158A4206FEBA4D4B85539F1104ABD11CC7A82CEC5D88202DB

Function 075B1C70 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b26627eb488c793ea1150989df6284894b94822d7c9338dfa96a208c4d6a34
Instruction ID: 534345aeb07a44e710455032c37cdd19ff5ed15808d7da61122998de617d6e8a
Opcode Fuzzy Hash: 78b26627eb488c793ea1150989df6284894b94822d7c9338dfa96a208c4d6a34
Instruction Fuzzy Hash: 3DD0123224010D9E4B90EE94E880CF277DDBB546007808422E508C6520E621E564E752

Function 075B1B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811d0cccb69703b34fdf43e6241a3ed2360a07e2268548f91e59635976045b0e
Instruction ID: a797334d3f8c8c7285cad8f9665bfe1e05f09ea7c9f0b8c8aa79de464010d851
Opcode Fuzzy Hash: 811d0cccb69703b34fdf43e6241a3ed2360a07e2268548f91e59635976045b0e
Instruction Fuzzy Hash: 17B0922232423A13DA18319D6420AFFB28E8BC9A69F50006BA60D877818DD6DC4202EF

Function 075B16D0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc817c400a0fc1a2bac0e5406ba17bacbccbf04595aba6b1fe2103d2f2d3e332
Instruction ID: fc036151b57069a341802a53eba3b2915e98a759a8016df909743f3204539cef
Opcode Fuzzy Hash: dc817c400a0fc1a2bac0e5406ba17bacbccbf04595aba6b1fe2103d2f2d3e332
Instruction Fuzzy Hash: 49B092A231423A13DA18719D6420AFFB28E8BC9A69F00006BE60D877819DD69C4246EF

Function 075B0253 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3026849187.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_75b0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e53e3266d8a0cbf7a95287360a0a2d42814b1f72b31e377b054498713e6c783
Instruction ID: f146d6105b8cd97ada7a320e6b78dded1edf3810e519eb5bd05bcbea6e4afb55
Opcode Fuzzy Hash: 7e53e3266d8a0cbf7a95287360a0a2d42814b1f72b31e377b054498713e6c783
Instruction Fuzzy Hash: B4D092B084421ACFEF718F80C8187FFBB70BB04315F004419D006A61D4CBBA0949CF51

Non-executed Functions

Function 06ED77B8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06ED7D04
$^q, xrefs: 06ED7D10
$^q, xrefs: 06ED7C65
$^q, xrefs: 06ED78E5
$^q, xrefs: 06ED78D9
$^q, xrefs: 06ED7D26
$^q, xrefs: 06ED78B4
$^q, xrefs: 06ED7C71
$^q, xrefs: 06ED7D1A
$^q, xrefs: 06ED78A8

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 6c8161f390f3da945141d8c82170e142019b88077192bb680b6695c95d2df5e1
Instruction ID: 485409121b6cd2ae12d2d4e8fd4c6e466be800cab58e4aa395787d9f7973b2b2
Opcode Fuzzy Hash: 6c8161f390f3da945141d8c82170e142019b88077192bb680b6695c95d2df5e1
Instruction Fuzzy Hash: BE121C34E003198FDF68DF65C854AAEB7F6BF89304F209969D409AB254DB309D86CF81

Function 06EDAA50 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EDAB46
$^q, xrefs: 06EDAC02
$^q, xrefs: 06EDABAD
$^q, xrefs: 06EDAB52
$^q, xrefs: 06EDABA1
$^q, xrefs: 06EDAC0E
$^q, xrefs: 06EDABCC
$^q, xrefs: 06EDABD8

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 4c014e8f8edaaa3e11a5a88da4f114445c5975e5c7cc3afc0b43df43734e1dc0
Instruction ID: a8641557671c080601e28970785532a2a5cd0749cbdb74d944653a79d1747894
Opcode Fuzzy Hash: 4c014e8f8edaaa3e11a5a88da4f114445c5975e5c7cc3afc0b43df43734e1dc0
Instruction Fuzzy Hash: 0B916C30A103099FEB68DF69D948BAE77B2FF84305F209539E4059B294DF349E42CB91

Function 06ED71B8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06ED7654
$^q, xrefs: 06ED76C0
$^q, xrefs: 06ED76CC
.5vq, xrefs: 06ED7213
$^q, xrefs: 06ED7500
$^q, xrefs: 06ED74F4
$^q, xrefs: 06ED749A

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: b3e02c73a67a5c228c69e13674b0131f9facd30070d4f242f476c7604739d033
Instruction ID: 00ec9ab9aa78683d0e88ccbaf4c53b1483a9d05007d483460da8b7068ab45421
Opcode Fuzzy Hash: b3e02c73a67a5c228c69e13674b0131f9facd30070d4f242f476c7604739d033
Instruction Fuzzy Hash: B4F14C34B10209CFDB59EB68D494AAEBBB6FF88305F209568D4159B394DF35EC42CB81

Function 06EDBB30 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EDBD09
$^q, xrefs: 06EDBCD5
$^q, xrefs: 06EDBD31
$^q, xrefs: 06EDBCC9
$^q, xrefs: 06EDBCFD
$^q, xrefs: 06EDBD3D

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 415468b01a3663eec225c2fea93ce07bc996f09f243ba90f151abede37bc3ae4
Instruction ID: 66485f43c61ad617a1243b1d68e77cc973a6b715ebd5059f64e9d666bb8891a6
Opcode Fuzzy Hash: 415468b01a3663eec225c2fea93ce07bc996f09f243ba90f151abede37bc3ae4
Instruction Fuzzy Hash: C6719FB0E103198FDB68CF68D4446AEB7F2FF85305B219929D40A9F254EB71DC46CB81

Function 06ED84F0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06ED87BB
$^q, xrefs: 06ED8756
$^q, xrefs: 06ED874A
$^q, xrefs: 06ED87AF

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 856c9b2554edacbdfbfc722c9e9b0f1578785a56f198f08c868c8a85db578d06
Instruction ID: 5604677eb923f98274826b37787305e1784078549ad27cfc1eb062f84bc041cc
Opcode Fuzzy Hash: 856c9b2554edacbdfbfc722c9e9b0f1578785a56f198f08c868c8a85db578d06
Instruction Fuzzy Hash: 25B14B34E103198FDB54EB69D5846AEB7B2FF88305F249929D40ADB394DB35DC82CB81

Function 06ED8908 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06ED8993
LR^q, xrefs: 06ED8A4A
LR^q, xrefs: 06ED89FB
$^q, xrefs: 06ED8987

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 2282a2449c44551ac29ce0d5343ace1f8d198608c6c70f991bc227c8826fc8d1
Instruction ID: 697020a60606cba1b6943182d38a823572e00d9d58b4b8bc804018f773492b76
Opcode Fuzzy Hash: 2282a2449c44551ac29ce0d5343ace1f8d198608c6c70f991bc227c8826fc8d1
Instruction Fuzzy Hash: 4F51B274B003059FDB58DB28D844A6EB7E6FF88704F149968E40A9F395DB34EC42CB92

Function 06EDADD8 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EDAF8B
$^q, xrefs: 06EDAF5C
$^q, xrefs: 06EDAFB4
$^q, xrefs: 06EDAF09

Memory Dump Source

Source File: 00000013.00000002.3023648786.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6ed0000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: c916f7d80bdbee9fd0acba1f25ebc45417c5f281151885d575d2381608491a27
Instruction ID: c2251d79ba28b41ee824fd4c533b188c1a1b3d4a656a1947960ab3d3a5218f15
Opcode Fuzzy Hash: c916f7d80bdbee9fd0acba1f25ebc45417c5f281151885d575d2381608491a27
Instruction Fuzzy Hash: D351AE74E103048FDB65DB68E5806ADB3B2FB88315F24597AD815DB344DB31EE82CB91

Analysis Process: sgxIb.exePID: 8184, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	151
Total number of Limit Nodes:	8

Executed Functions

Function 07542827 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 213
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 075427EB

Strings

FKy, xrefs: 075429B2

Memory Dump Source

Source File: 00000016.00000002.2003316002.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7540000_sgxIb.jbxd

Similarity

API ID: ProtectVirtual
String ID: FKy
API String ID: 544645111-635708487
Opcode ID: a97d22418b353958d698d55936732396cc64efec40a1e00e9a22d77673c9eadf
Instruction ID: 150b24c503642e2aadf85c22543b05e628a4bcfac7cb33cb3761910244900919
Opcode Fuzzy Hash: a97d22418b353958d698d55936732396cc64efec40a1e00e9a22d77673c9eadf
Instruction Fuzzy Hash: E59129B5A01209DFCB04DFA8D588AEEBBF1FF48310F208569E845AB364DB359945CF61

Function 0754EF08 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0754F13E

Memory Dump Source

Source File: 00000016.00000002.2003316002.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7540000_sgxIb.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: dd9cd19f9dcde847c319064700195215eb5ad04304bdb4e6567a6e044452cf23
Instruction ID: 6c7b4d07f6f6eac8b25458e1442ff82a7897d973cca538414106e79f07f447be
Opcode Fuzzy Hash: dd9cd19f9dcde847c319064700195215eb5ad04304bdb4e6567a6e044452cf23
Instruction Fuzzy Hash: B6916DB1D0021ADFDF24DF68C845BDEBBB2BF44314F1485AAD809A7280DB759985CF92

Function 02A2AD68 Relevance: 1.7, APIs: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000016.00000002.1994847220.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2a20000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26cadf529516ecfbd20110d845cdeb56171c272f6d20126fb13c392fac79bb5c
Instruction ID: 9c3be13e3cd0991bd118732e0ea35fd021c283e56c4c419ebc898f6d44be9558
Opcode Fuzzy Hash: 26cadf529516ecfbd20110d845cdeb56171c272f6d20126fb13c392fac79bb5c
Instruction Fuzzy Hash: 85712470A00B258FD724DF29D19475ABBF2BF48304F108A2DD48AC7A52DB75E94ACF91

Function 02A258ED Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02A259A9

Memory Dump Source

Source File: 00000016.00000002.1994847220.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2a20000_sgxIb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6c8ea2d85e2aedab019a4456865c6cc5924aab5b505a3ac19d87a4e3a1eaace8
Instruction ID: 7930b05eb39268e68f8cdf1a391f14e790e9dc0c0fa88223ea3c126a8e672e9f
Opcode Fuzzy Hash: 6c8ea2d85e2aedab019a4456865c6cc5924aab5b505a3ac19d87a4e3a1eaace8
Instruction Fuzzy Hash: DF51F3B1D00719CEDB28DFA9C8887DEBBF1BF49314F20806AD409AB251DB75A949CF51

Function 02A244B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02A259A9

Memory Dump Source

Source File: 00000016.00000002.1994847220.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2a20000_sgxIb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 07ecf68bad908429de8a6e0c7b4da3fbefa45abe22349e47e4ae3471ddd83365
Instruction ID: a2be1a6c1ac628740b9c50db48fcb44075edb5d2a60db938e6a52e2bfefec7d0
Opcode Fuzzy Hash: 07ecf68bad908429de8a6e0c7b4da3fbefa45abe22349e47e4ae3471ddd83365
Instruction Fuzzy Hash: 3341E4B0D0072DCBDB28DFA9C884B9DBBF5BF49314F60806AD409AB251DB716949CF91

Function 05154040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05154101

Memory Dump Source

Source File: 00000016.00000002.1999256332.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5150000_sgxIb.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a74e8179fb71f5f91251838ccf213122bd65256b38e717c71e9e83585f041711
Instruction ID: b862f64493c5078b3abaa42ebdc9c25ad9a8988a03fc89ec15b4d8b16a8b2fb5
Opcode Fuzzy Hash: a74e8179fb71f5f91251838ccf213122bd65256b38e717c71e9e83585f041711
Instruction Fuzzy Hash: D8410AB4900305CFCB14CF99C889AAAFBF5FB88324F258459D919A7321D775A945CFA0

Function 0754EC80 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0754ED10

Memory Dump Source

Source File: 00000016.00000002.2003316002.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7540000_sgxIb.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 59af981799c444d96a723f6383dbea40cef7cb25065ab7b48646cf6c07f44bf8
Instruction ID: 89aec8591e632258fe381ffcc3ea45c1295f16bb26888e839f29ba8d40050708
Opcode Fuzzy Hash: 59af981799c444d96a723f6383dbea40cef7cb25065ab7b48646cf6c07f44bf8
Instruction Fuzzy Hash: 5B2125B19003499FCF10DFAAC885BDEBBF5FF48314F10842AE919A7240C778A954DBA4

Function 02A2D23C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A2D616,?,?,?,?,?), ref: 02A2D6D7

Memory Dump Source

Source File: 00000016.00000002.1994847220.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2a20000_sgxIb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 408c3816e8925518fe6cea89899b66c87b7b15baf046dc06c1212bf280e4c032
Instruction ID: f1ec2c2ef42fad6706f8478185f58ba90f9c48dbdc266a1c68869bd72165f72d
Opcode Fuzzy Hash: 408c3816e8925518fe6cea89899b66c87b7b15baf046dc06c1212bf280e4c032
Instruction Fuzzy Hash: 522114B59003489FDB10CF9AD984AEEFBF8EB48320F10841AE918A3311C374A944CFA5

Function 0754ED70 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0754EDF0

Memory Dump Source

Source File: 00000016.00000002.2003316002.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7540000_sgxIb.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0853381f26c98644a4a8cd342ccb7556a2190c99306bbef1a214c6045236f09e
Instruction ID: 8b213249ab1507588d5865a901cbe0ed2761146e289970fc549708a3331c2374
Opcode Fuzzy Hash: 0853381f26c98644a4a8cd342ccb7556a2190c99306bbef1a214c6045236f09e
Instruction Fuzzy Hash: DE2125B18003599FCB10DFAAC885AEEFBF5FF48320F10842EE519A7250C7389954DBA5

Function 0754EAE8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0754EB66

Memory Dump Source

Source File: 00000016.00000002.2003316002.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7540000_sgxIb.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 36e228f407549686ea17cc9840845b282e79a965d1087c8df369d0c111fe5cbe
Instruction ID: ad9963af5bdf71b00e8db3ac5fd364ad2b69311bee8442829579b382f339d184
Opcode Fuzzy Hash: 36e228f407549686ea17cc9840845b282e79a965d1087c8df369d0c111fe5cbe
Instruction Fuzzy Hash: B02137B19003098FDB10DFAAC485BEEBBF4FF88324F14842AD559A7241CB789944CFA5

Function 02A2D64F Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A2D616,?,?,?,?,?), ref: 02A2D6D7

Memory Dump Source

Source File: 00000016.00000002.1994847220.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2a20000_sgxIb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 71925190f60cfb4f736d245fbf1816110d9474f3278c021dc99bb14dfe1b347c
Instruction ID: 4d9fd37b26b3d38e23cc0de5521924e6f5a0e7f4206b87729bb8bdd880dfa035
Opcode Fuzzy Hash: 71925190f60cfb4f736d245fbf1816110d9474f3278c021dc99bb14dfe1b347c
Instruction Fuzzy Hash: D021EFB59002089FDB10CFAAD984AEEBBF4EB48320F14841AE918A3351C378A944CF60

Function 07542770 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 075427EB

Memory Dump Source

Source File: 00000016.00000002.2003316002.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7540000_sgxIb.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 97e1f60465f6f3c5d364725f13ae79f43b6851ce028c707e49d2191ac2b8e356
Instruction ID: 7e603105b14df475a0b0fd3da773718d5c2587b4432039d4535f4524408f95c1
Opcode Fuzzy Hash: 97e1f60465f6f3c5d364725f13ae79f43b6851ce028c707e49d2191ac2b8e356
Instruction Fuzzy Hash: BE21F4B59002499FCB10DF9AC885ADEFBF4FB48320F10842AE868A3251D374A944CFA1

Function 07542778 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 075427EB

Memory Dump Source

Source File: 00000016.00000002.2003316002.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7540000_sgxIb.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0823c7f3401f4ff8917c1df58487d5503949efd6b38a9c6005048d544f7299ba
Instruction ID: 577e6eb5ef09a5def6e04b05559c29b0122afe64dc294f612d7b802e7f8e9f09
Opcode Fuzzy Hash: 0823c7f3401f4ff8917c1df58487d5503949efd6b38a9c6005048d544f7299ba
Instruction Fuzzy Hash: 7721E7B59003599FCB10DF9AC884BDEFBF4FB48320F108429E958A7251D374A544CFA1

Function 0754EBC0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0754EC2E

Memory Dump Source

Source File: 00000016.00000002.2003316002.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7540000_sgxIb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 74bd374a398bae21614742445815467dd420b72eb1649e86d6fe7d203fde36cc
Instruction ID: fdc4ec1f32038e31dc0770c7926666f8dfee84e3683f0705d5b382f853a16f31
Opcode Fuzzy Hash: 74bd374a398bae21614742445815467dd420b72eb1649e86d6fe7d203fde36cc
Instruction Fuzzy Hash: 7A1156B18002499FCB20DFAAC845ADEBBF5FF88324F208819E519A7250C735A940CBA1

Function 0754EA38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0754EA9A

Memory Dump Source

Source File: 00000016.00000002.2003316002.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7540000_sgxIb.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: eff9ecfd09bad5dd1f6d4ac8b58c6bbcc7378b3843a8201e15980c4436f1f6ef
Instruction ID: 6d97986fd2755a31e8c7fdfd4a8a20299dd238cdffa86feae831472cece3891e
Opcode Fuzzy Hash: eff9ecfd09bad5dd1f6d4ac8b58c6bbcc7378b3843a8201e15980c4436f1f6ef
Instruction Fuzzy Hash: 391136B19003498FCB24DFAAC4497DEFBF5FF88324F20881AD519A7240CB75A944CBA5

Function 02A2AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02A2AFBE

Memory Dump Source

Source File: 00000016.00000002.1994847220.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2a20000_sgxIb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 56f842510a89a24dfa775aadc3b18379ef952f8800cf5fd8f09cddc036accab7
Instruction ID: 51362e0dba7e8462979878944f7f5ebec566c0f20cae6059b2ad5d70e7f0db39
Opcode Fuzzy Hash: 56f842510a89a24dfa775aadc3b18379ef952f8800cf5fd8f09cddc036accab7
Instruction Fuzzy Hash: 901110B6C003498FCB14CF9AC444ADEFBF4EF88324F10845AD429A7611C779A549CFA1

Function 091314A3 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 09131505

Memory Dump Source

Source File: 00000016.00000002.2004898624.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_9130000_sgxIb.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c7086fff13238640eaee79437c9d21367d24588f4835cbe9593e997835fa227c
Instruction ID: 3c278e9201e9ed506860e831f3dba27188805f10b1b4009ddaea257b8bd4b6fe
Opcode Fuzzy Hash: c7086fff13238640eaee79437c9d21367d24588f4835cbe9593e997835fa227c
Instruction Fuzzy Hash: CD1100B59003489FCB10DF9AC889BDEBBF8EB49324F10881AE519A7710C375A944CFA1

Function 02A2AF57 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02A2AFBE

Memory Dump Source

Source File: 00000016.00000002.1994847220.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2a20000_sgxIb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c8085c530b7cf6ba6d96f79a5f75a6f00c83f3ce8ab24f2ddd19382652d2ae73
Instruction ID: f7811a2eead3143a8f004d24b9f1f5582afc3051ca453da00ea5bd64b30c6963
Opcode Fuzzy Hash: c8085c530b7cf6ba6d96f79a5f75a6f00c83f3ce8ab24f2ddd19382652d2ae73
Instruction Fuzzy Hash: 5D110CB6C002498ECB14CF9AC548ADEFBF4AF88324F10845AD429B7611C378A549CFA1

Function 091314A8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 09131505

Memory Dump Source

Source File: 00000016.00000002.2004898624.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_9130000_sgxIb.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 745f482b3802e20687bbc10e97d4126033ead2095b918690737a4ae25531bdf0
Instruction ID: 937c0a4ef469b843408b7d9f430735a1f63063f63e9ddef605ec82cb7765b7e2
Opcode Fuzzy Hash: 745f482b3802e20687bbc10e97d4126033ead2095b918690737a4ae25531bdf0
Instruction Fuzzy Hash: 8E1112B58003489FCB10DF9AC889BDEFBF8EB49324F10841AE519A7610C375A944CFA1

Function 02A2D64A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A2D616,?,?,?,?,?), ref: 02A2D6D7

Memory Dump Source

Source File: 00000016.00000002.1994847220.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2a20000_sgxIb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 24ab53cceb3fb0d47ffa9a526be557d484ba76eade4e6c58784a8cb73e14cae0
Instruction ID: 17a78b3b8c5bcf0885a009dcc144140c6ba90b6c570a2c5003c55ca4dbb917cf
Opcode Fuzzy Hash: 24ab53cceb3fb0d47ffa9a526be557d484ba76eade4e6c58784a8cb73e14cae0
Instruction Fuzzy Hash: C511A9B190024ADFDB10CFADD888BDEBFF0EF49324F24810AE528A7251C374A855DB61

Function 00FAD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1993495101.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_fad000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec8d05ffcc41757e7117169ed367a592ca9d8cdee9e9a707073185b846a164e
Instruction ID: 4ea81e0491b8a1d8ae55118c7574bb7040e9ad9fde3a3e01f588259ce677376e
Opcode Fuzzy Hash: dec8d05ffcc41757e7117169ed367a592ca9d8cdee9e9a707073185b846a164e
Instruction Fuzzy Hash: 3E213AF6D04240DFCB05DF14D9C4B26BF65FB99328F28C569E80A0B656C336D816E7A1

Function 00FBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1993563419.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_fbd000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86af3302baed8d2e47e6649dee3c5234f8170413fd44c0faa2c9e62350e999d8
Instruction ID: 4869c42bf62215bc5721944723136f9ae523fa5f2d0c907a482eb35927ba9d36
Opcode Fuzzy Hash: 86af3302baed8d2e47e6649dee3c5234f8170413fd44c0faa2c9e62350e999d8
Instruction Fuzzy Hash: 0721F575A04200DFCB14EF14D9C4B56BBA5FB94364F24C56DD80A4B38AD33AD807EE62

Function 00FBD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1993563419.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_fbd000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0081fe4ce4aed218909bbad9461555afa3e50f747ba003275942b4cb2faa84b
Instruction ID: 593bee19fa25d0ea51a9532a4de5d9eb178736ca92f156d1b3f24a7d4027a2a8
Opcode Fuzzy Hash: a0081fe4ce4aed218909bbad9461555afa3e50f747ba003275942b4cb2faa84b
Instruction Fuzzy Hash: C1213771A04240EFDB05DF15C9C0B25BBA5FB84324F20C66DD80A4B381D336D806DF62

Function 00FBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1993563419.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_fbd000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944f0b1a12f761938fb1ad49abb5f1fe45784c25ea9347fdfd3aed8229445484
Instruction ID: 5444bdf271eaca584496de8d1e8254a82ae86b56f1e20b6f2df2782089cc9ce1
Opcode Fuzzy Hash: 944f0b1a12f761938fb1ad49abb5f1fe45784c25ea9347fdfd3aed8229445484
Instruction Fuzzy Hash: B42192755093C08FCB02DF24D994715BF71EB46324F28C5EAD8498F6A7C33A980ADB62

Function 00FAD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1993495101.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_fad000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: dd97a76fb78ce6d92bff4f323f7ab99d3570de25ffde88a6f296d16a631f8fd4
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 0311E9B6D04240CFCB15CF14D5C4B16BF71FB94324F28C5A9D8460B656C336D856DB91

Function 00FBD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1993563419.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_fbd000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 52aeb2219ef2aa56309b3e3b392c4e77ea3b5b38b76651a3314d2c9df092c81a
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 0C11BB75904280DFCB06CF10C9C4B15BBB2FB84324F24C6ADD8494B296C33AD80ADF62

Analysis Process: sgxIb.exePID: 5472, Parent PID: 8184COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	204
Total number of Limit Nodes:	22

Executed Functions

Function 06837E98 Relevance: 3.0, Strings: 2, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0683843F
$^q, xrefs: 06838433

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: ce955ed64faec026bbb99ec3b72da38d5eed2acf24f216ceddb42f4037766b8b
Instruction ID: 055e727962c6d15e82b44dce36890584b5bebc2933cf77c552b4f76de3093c6a
Opcode Fuzzy Hash: ce955ed64faec026bbb99ec3b72da38d5eed2acf24f216ceddb42f4037766b8b
Instruction Fuzzy Hash: B1029C70B002259FDB54DB68D9906AEB7E2FF84304F148929E509DB794DB35EC82CBD1

Function 06830007 Relevance: 2.0, Instructions: 1971COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe52c881670f39e9913f15d822545b2cf63045982d491e51b4658b627d00d27
Instruction ID: d2000c3143f5c84b49d22a271ced2887a3b7f933326ca900e02d6f5078bf2d7d
Opcode Fuzzy Hash: 7fe52c881670f39e9913f15d822545b2cf63045982d491e51b4658b627d00d27
Instruction Fuzzy Hash: D023F931D10B198ACB15EF68C8945ADF7B1FF99300F15D79AE458B7221EB70AAC4CB81

Function 068356B0 Relevance: 1.8, Strings: 1, Instructions: 595COMMON

Download Yara Rule

Strings

$, xrefs: 06835A03

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 4fb9973e3c477970a4ad22b3cd1647590f074a3394023f6e7ed073fb6d72ccdb
Instruction ID: 840659cceea88702eed5b5b9066f4c765ee81d9eb5d61402cc7869cd03eb9d45
Opcode Fuzzy Hash: 4fb9973e3c477970a4ad22b3cd1647590f074a3394023f6e7ed073fb6d72ccdb
Instruction Fuzzy Hash: C122D371E002258FDF64DFA4D4846AEBBB2EF84324F208469D949EB354DA35DD41CBD2

Function 06836708 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a2ebadcfe1737e1d339bda6cdb91583c1dc51372678d4350e5e04824f82f5f
Instruction ID: 674dd93fec44bbb3cabb75cc8442f71d1dd83cf36fda0aa68e1f74f1063b499f
Opcode Fuzzy Hash: 52a2ebadcfe1737e1d339bda6cdb91583c1dc51372678d4350e5e04824f82f5f
Instruction Fuzzy Hash: B662CE30B002249FDB54DB68D594AADB7F2FF85314F248469E909EB350EB35ED82CB90

Function 06839268 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 068392E4
$^q, xrefs: 0683931F
$^q, xrefs: 06839313
$^q, xrefs: 068392D8

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 7fec489ee3592e8082de40e5141a3f6e8d2beb37b1012e4961edadd949b02702
Instruction ID: 772acf9a2984f26df731ecb769cc098443c28e3113a13f8129cf69d58aac2c03
Opcode Fuzzy Hash: 7fec489ee3592e8082de40e5141a3f6e8d2beb37b1012e4961edadd949b02702
Instruction Fuzzy Hash: 03915170B0022A9FDF54EB65D9507AEB7F6AFC9208F108969C40DEB744EA709C42CB95

Function 06834C80 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06834CAB
\Ocq, xrefs: 06834E5B
XPcq, xrefs: 06834DD1

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: e26d939fa3c37a7c604fc7856e2a45cc8d585e2725ea9a0c75bc5b1a9dcb1d91
Instruction ID: 665800abc07bcffd43cf57fc900bae1cbd175c5f23d1365fa129f86f802773c6
Opcode Fuzzy Hash: e26d939fa3c37a7c604fc7856e2a45cc8d585e2725ea9a0c75bc5b1a9dcb1d91
Instruction Fuzzy Hash: 3A618170F002189FEB54DFA9C8547AEBBF2EF88710F20842AE505EB391DB758D058B91

Function 0683925B Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06839313
$^q, xrefs: 068392D8

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 799a6ef70043a946ab608f8408e7493377715834240bfa570a9a56078985c5c1
Instruction ID: 3d8fb3a9dd063bf939709dd9676c45ee81ef4f069f0297c55433246744bd8f5e
Opcode Fuzzy Hash: 799a6ef70043a946ab608f8408e7493377715834240bfa570a9a56078985c5c1
Instruction Fuzzy Hash: 3D517470B001159FDF54EB78D990B6EB7F6EBC9208F108529D419DB788EA70DC42CBA5

Function 0683DBE5 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0683DD41

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 82f1ed6521951bab56b337253824aa0ecaff9863012af64094a144e2847f0632
Instruction ID: 6d37055a3fc7e7403036273af4888cf708e7ccb7a765809affd78d33cdf3d830
Opcode Fuzzy Hash: 82f1ed6521951bab56b337253824aa0ecaff9863012af64094a144e2847f0632
Instruction Fuzzy Hash: F941C070E10329DFDB61DFA9C8547AEBBB2BF96304F104929D905EB340DB749946CB81

Function 068383E8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 06838433

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 2b326be6645408022546cf9682927dfaa2e59cc95cb7c074af10fb443ae49fa8
Instruction ID: b7fe80f30af9c6669b827ad5f054dcbb80387a3d8615df173000162aadba0e64
Opcode Fuzzy Hash: 2b326be6645408022546cf9682927dfaa2e59cc95cb7c074af10fb443ae49fa8
Instruction Fuzzy Hash: 8EF0F4B1B002349FDFB49B44F94126CB769EB40208F044866FA04CB954C735D901C7D0

Function 06834B69 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06834B75

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: 53226a921d3d8a96edb236ad2d8ef6e4a590ec9ec7bbdb5d12ee1a073e932fef
Instruction ID: e34859780c140cab1f8cf54a1ffa51a69d1fc0415bb925129aa2fa59827fb4f2
Opcode Fuzzy Hash: 53226a921d3d8a96edb236ad2d8ef6e4a590ec9ec7bbdb5d12ee1a073e932fef
Instruction Fuzzy Hash: B6F0D430A10129DBDB14DF94E959BAEBBB2FF88704F204519E502EB294CBB41D05CBC0

Function 0683C2B0 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da528b5e979ac58d73a88e4265d53bb318919577a96b9b4a45066d7369c01fc
Instruction ID: dbeacc967b431647824a9f2dd2c9b50dcefd771ac710e417bd8e90f3eea07a57
Opcode Fuzzy Hash: 3da528b5e979ac58d73a88e4265d53bb318919577a96b9b4a45066d7369c01fc
Instruction Fuzzy Hash: 7332B470B102298FDB64DB68D980BAEB7B2FF88314F108525E509EB755DB35EC42CB91

Function 0683B3E7 Relevance: .6, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7a5f51783d46ee24cf1efbb1714f121e29913cb0775a78ea17ee6f0bad8d72
Instruction ID: 281922d9a1d238e19160a31601d736f7bc7a24ebeefbd20f43c91303c9d7390a
Opcode Fuzzy Hash: 5f7a5f51783d46ee24cf1efbb1714f121e29913cb0775a78ea17ee6f0bad8d72
Instruction Fuzzy Hash: 6F226FB0E102298FDF64DB68D5907ADB7F2EB55310F248826E509EB395DB34DC81CB91

Function 06836308 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2200399768a856398a22530c97c742ef3bab8fd0ecc903910066e82e114a6d5e
Instruction ID: 90462da958925f456330e32acfbc9a7247c5f18e40dd607e4309a058b73de650
Opcode Fuzzy Hash: 2200399768a856398a22530c97c742ef3bab8fd0ecc903910066e82e114a6d5e
Instruction Fuzzy Hash: 71610471F001214FCF119A7DC88466FBAD7AFC4224B25443AE80EDB364EE65DD4287C2

Function 068343BB Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e78814976b639b7f512c2ab9d32ba771013b161fe42948d8a5e2d38cb719ff7
Instruction ID: 08a96a729b9fdc247a4f1ae832fd09a50ac44f777f91492082f19d3bfb1379ae
Opcode Fuzzy Hash: 3e78814976b639b7f512c2ab9d32ba771013b161fe42948d8a5e2d38cb719ff7
Instruction Fuzzy Hash: 1D815E70B002199FDF54DFA9D9546AEB7F2AF89304F108529D50ADB394EF34EC428B91

Function 068346D4 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72bcd43d299599b7584ca079831015ff149d737ddf4c49e69c87d069b498aef
Instruction ID: e6717e4194cefd945043682747d044b9c9d4697ff0144222cd8477778dbc9b2f
Opcode Fuzzy Hash: b72bcd43d299599b7584ca079831015ff149d737ddf4c49e69c87d069b498aef
Instruction Fuzzy Hash: 91914D34E102198BDF60DF68C890B9DB7B1FF89310F208599D549EB395EB70AA85CB91

Function 068346E8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c1c4559ac621adff3ca1b999dc0aaa2cf6937db1101c35333c507492469348
Instruction ID: 539a3300bfc75768c542cae2c7b395fdcc2e2a7c6f4f0b7a3774f9d34eb26764
Opcode Fuzzy Hash: d4c1c4559ac621adff3ca1b999dc0aaa2cf6937db1101c35333c507492469348
Instruction Fuzzy Hash: 65913C74E102198BDF60DF68C880B9DB7B1FF89310F208599D549FB355EB70AA858F91

Function 0683F039 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d125687282f831893a5cf4bbcbe50f43dc2a5e0559d049690fee3c94c39b02
Instruction ID: d0de7146e6445070063b668a743086aaba688d94334d77192a9f8031457fcc03
Opcode Fuzzy Hash: b1d125687282f831893a5cf4bbcbe50f43dc2a5e0559d049690fee3c94c39b02
Instruction Fuzzy Hash: 4C716E70E012198FCB54DBA8D990AADBBF6FF88304F148529E109EB355DB34ED46CB91

Function 0683FCC9 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750f72d4db60be1f7ce157fd887b958c35ceb136c94209bf5fcd18b7b65b21fb
Instruction ID: 1c2944e6301d3ebc87993627a217a0598c17d638395ce6d483d2fb67d395f828
Opcode Fuzzy Hash: 750f72d4db60be1f7ce157fd887b958c35ceb136c94209bf5fcd18b7b65b21fb
Instruction Fuzzy Hash: 68510431E002259FDF64AB78E4446ADB7B2EF84315F108979E71ADB250DF358855CBC1

Function 0683FA78 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f124eddd05a2d54a3319c0fc9edc369ad439d7f4a797b2124873684d3088a992
Instruction ID: 7872dd89b61b30790a439a5cb843628af74a5c25ed3a719dcc614cd41a8ba4ba
Opcode Fuzzy Hash: f124eddd05a2d54a3319c0fc9edc369ad439d7f4a797b2124873684d3088a992
Instruction Fuzzy Hash: F451D070F202248BEF656678D85476F3A9AD789311F20452AE70EC7794CF2CCC9293D2

Function 0683FA88 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43cb00ffd3d7850d73309a473f6d2ef9990b929512abaa33b135f2f6c7fff2de
Instruction ID: 0bdd64ff507da8333e226903f6af850a973e6fff82671df0c25ac960f018c5ec
Opcode Fuzzy Hash: 43cb00ffd3d7850d73309a473f6d2ef9990b929512abaa33b135f2f6c7fff2de
Instruction Fuzzy Hash: F251C0B0F202249BEF646668D89476F369AD78D311F20452AE70EC7794CF6CCC9293D2

Function 0683DA98 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6bd0403a4de97053891ba1012f970fe69d533961145930e769a3fa8fafe867
Instruction ID: 4225d784090ba34ea041ed6264c6eef94bcb8291de9d1dc425022707a57a5b9a
Opcode Fuzzy Hash: dc6bd0403a4de97053891ba1012f970fe69d533961145930e769a3fa8fafe867
Instruction Fuzzy Hash: 9E31B631E103299FCF65DF69D88069EBBF2FF85304F144A29E505EB244EB70A946CB81

Function 06832080 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ee9d021ff44541b316c89a4532ca29db4ead93f64c2bd82eefb3b06994f624
Instruction ID: b36d364c91e00b07fabc3fe13ed12390f7bd1919dd641aa084b2667c8cd9a593
Opcode Fuzzy Hash: 77ee9d021ff44541b316c89a4532ca29db4ead93f64c2bd82eefb3b06994f624
Instruction Fuzzy Hash: 1E31BE31E002159FCB15CFA4D9A469EB7B2FF89310F148529E906EB350DB71AD46CB90

Function 06832090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef0e6b2f12b0865c54a72c7b106e7c4ec38f26f5149020cf18e2fc2258cde91
Instruction ID: 8168d028f9563dc00c2732bd76fb365521ca1ac7a76c75c8aeec3e99de6d1ac3
Opcode Fuzzy Hash: eef0e6b2f12b0865c54a72c7b106e7c4ec38f26f5149020cf18e2fc2258cde91
Instruction Fuzzy Hash: 68317E31E106159FCB55CFA4D96469EB7B2FF89300F10C529E906E7340DB71AD46CB90

Function 06833FC1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd2fe8aa5b731bc59fc5ada72fabe5dea7098288daad0e9f5a36468e420a713
Instruction ID: c3f99f222591fb87a0e8ba25b06a0d2f90f665a8480a5759fc74e7e9b7bef508
Opcode Fuzzy Hash: dbd2fe8aa5b731bc59fc5ada72fabe5dea7098288daad0e9f5a36468e420a713
Instruction Fuzzy Hash: 17217C75F002199FDB90DFB8D981AAEBBF5AB88714F148025E944EB385E731D901CBE1

Function 06833FD0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf38cd811381dc4688222e6ad0d66b5ff811c02d94d37e10c16172496f035f90
Instruction ID: 4f17b9f1e89ccfba269f6c8254019848bd8e1894bc3458deac6f591e50079f7b
Opcode Fuzzy Hash: bf38cd811381dc4688222e6ad0d66b5ff811c02d94d37e10c16172496f035f90
Instruction Fuzzy Hash: EF217C75F002199FDB90DF69D980AAEBBF5EB48714F108025EA05E7344EB31D901CB90

Function 06834318 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d642df4c838947bfb669ce74dde5752dcb28de912874c2e52b4050abd803d07
Instruction ID: 5f63fd15f15aa0a6dc2db18a2b8f679acef536219d3e6769e4e84d23a7393586
Opcode Fuzzy Hash: 0d642df4c838947bfb669ce74dde5752dcb28de912874c2e52b4050abd803d07
Instruction Fuzzy Hash: 2011C031B111240FDB61966CD801B2EB7EADBCA219F14842AE60EC7391D964DC0283D1

Function 068340E0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5502d8bd8b2fe190788ce6083c35f86705fa9994fd556e972f0af1ff7ed33cc5
Instruction ID: f6e9fc78471ea064274166d0ddc3c5573d26480392950461f3d0ea7bc8e28da7
Opcode Fuzzy Hash: 5502d8bd8b2fe190788ce6083c35f86705fa9994fd556e972f0af1ff7ed33cc5
Instruction Fuzzy Hash: C7118E32B141285FDB949668DC146AE73FAABC8614B008539C50AE7344EE359C028BE2

Function 0683A420 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885aa56a756c4dc16a4abbd93495197fe40fc69b218cd1c2fc9865fc7a29f9fa
Instruction ID: ff6c58088de217b50c97318f3e73240eb187c318c6ca81ab3734a397a81a62f1
Opcode Fuzzy Hash: 885aa56a756c4dc16a4abbd93495197fe40fc69b218cd1c2fc9865fc7a29f9fa
Instruction Fuzzy Hash: A5114971F002201FCB79E678E84476EBBD6EBC6708F04856AE64AC7742DD21DC0283D1

Function 0683F2B8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc28f737b76db99fbf65672dbf6273c6ad0c1697d2a1ac4a4546488290a4008
Instruction ID: 756ab0ea849eb3b9e1e5b7fa28d2bb58998659dab4eab163f51f50d12cf64cd5
Opcode Fuzzy Hash: 2fc28f737b76db99fbf65672dbf6273c6ad0c1697d2a1ac4a4546488290a4008
Instruction Fuzzy Hash: DE01F131F182604BCB32967CA464B3F77DACB8A218F14886EE60AC7385DE54DC0283D6

Function 068340D1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c375817fb7c816514dd95648b9ca197bf1922d7c71609f689866e70a1283d4
Instruction ID: 64d22021837d3741c4bc49986eb56fb85bebdb6cb9b91d1edda43b417c2cec45
Opcode Fuzzy Hash: 99c375817fb7c816514dd95648b9ca197bf1922d7c71609f689866e70a1283d4
Instruction Fuzzy Hash: EA01B136B140285BDB94D6A9DC506EF7BFBDBC8614F014536D60AD7254EF20981287E2

Function 06834328 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f031c85a50c9cd4312fdabfc6e3be1f12020a55e0d2b25d42b56ef2fd69d2a
Instruction ID: da418db6b58153f6f31c9346a40b5e69c2f8305156eed207c7af4ba4eac6fe01
Opcode Fuzzy Hash: 91f031c85a50c9cd4312fdabfc6e3be1f12020a55e0d2b25d42b56ef2fd69d2a
Instruction Fuzzy Hash: 36016931B100201BDB6495ADA854B2FA3DADBCA718F24883AE60EC7394D965DC0243D5

Function 0683F2C8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e1067fdcb97185b9f20b39e62a15214635156fca4c4e929e00f8d00893df68
Instruction ID: ce57ff0d9f26b72a025a771173ed8664ca4b3ce1f624f683ff746343f43a72c5
Opcode Fuzzy Hash: 07e1067fdcb97185b9f20b39e62a15214635156fca4c4e929e00f8d00893df68
Instruction Fuzzy Hash: 55011935F101205BDB6596BDA494B2E62DADBCA628F148839E60AC7384DE65DC0243D6

Function 0683A430 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3023385107.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6830000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15a9d6dad32194c32a7ffd5c6a1dd3d44a9a92aaa9a1ac7c645d7afd2d204a9
Instruction ID: 605697bca5a7143c4fa42526c8eaa4d8194dac67e36300c4b60d70338f5fa2e6
Opcode Fuzzy Hash: b15a9d6dad32194c32a7ffd5c6a1dd3d44a9a92aaa9a1ac7c645d7afd2d204a9
Instruction Fuzzy Hash: 6E018131B000204BDB78E668E95476EB7DAEBCA718F108829E64EC7744DD25DC0287D5

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report s2Jg1MAahY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GedTanqRR.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\s2Jg1MAahY.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sgxIb.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0fdemhkn.kyu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyywn1cc.hx3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_elindv2r.4sm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3f5tstw.et3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0vdxbfw.j3l.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pol05p5u.cil.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wiqgae4d.aj3.ps1

Windows Analysis Report
s2Jg1MAahY.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre