Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zkB0qfWSJk.exe

Overview

General Information

Sample name:zkB0qfWSJk.exe
renamed because original name is a hash value
Original sample name:2facfa5bb80933431ce452627dd71c6c9b5711799dea72732e1617622ec45c54.exe
Analysis ID:1465289
MD5:7e3694a4d525aecb407e7dfee160afee
SHA1:9e515221e99af422d0e7c76b3b90e9a259f67562
SHA256:2facfa5bb80933431ce452627dd71c6c9b5711799dea72732e1617622ec45c54
Tags:exe
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • zkB0qfWSJk.exe (PID: 7220 cmdline: "C:\Users\user\Desktop\zkB0qfWSJk.exe" MD5: 7E3694A4D525AECB407E7DFEE160AFEE)
    • RegSvcs.exe (PID: 7376 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • cmd.exe (PID: 7788 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • choice.exe (PID: 7844 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
    • RegSvcs.exe (PID: 7388 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • WerFault.exe (PID: 7492 cmdline: C:\Windows\system32\WerFault.exe -u -p 7220 -s 980 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "varlutnant@valleycountysar.org", "Password": "i~~Ga+6_-~V*", "Host": "valleycountysar.org", "Port": "26"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x147e6:$a1: get_encryptedPassword
      • 0x14ad2:$a2: get_encryptedUsername
      • 0x145f2:$a3: get_timePasswordChanged
      • 0x146ed:$a4: get_passwordField
      • 0x147fc:$a5: set_encryptedPassword
      • 0x15e20:$a7: get_logins
      • 0x15d83:$a10: KeyLoggerEventArgs
      • 0x15a1c:$a11: KeyLoggerEventArgsEventHandler
      00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x180c4:$x1: $%SMTPDV$
      • 0x1812a:$x2: $#TheHashHere%&
      • 0x19721:$x3: %FTPDV$
      • 0x19815:$x4: $%TelegramDv$
      • 0x15a1c:$x5: KeyLoggerEventArgs
      • 0x15d83:$x5: KeyLoggerEventArgs
      • 0x19745:$m2: Clipboard Logs ID
      • 0x19965:$m2: Screenshot Logs ID
      • 0x19a75:$m2: keystroke Logs ID
      • 0x19d4f:$m3: SnakePW
      • 0x1993d:$m4: \SnakeKeylogger\
      00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
              9.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0x149e6:$a1: get_encryptedPassword
              • 0x14cd2:$a2: get_encryptedUsername
              • 0x147f2:$a3: get_timePasswordChanged
              • 0x148ed:$a4: get_passwordField
              • 0x149fc:$a5: set_encryptedPassword
              • 0x16020:$a7: get_logins
              • 0x15f83:$a10: KeyLoggerEventArgs
              • 0x15c1c:$a11: KeyLoggerEventArgsEventHandler
              9.2.RegSvcs.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x1c31f:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x1b551:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x1b984:$a4: \Orbitum\User Data\Default\Login Data
              • 0x1c9c3:$a5: \Kometa\User Data\Default\Login Data
              Click to see the 28 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000009.00000002.1393870851.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "varlutnant@valleycountysar.org", "Password": "i~~Ga+6_-~V*", "Host": "valleycountysar.org", "Port": "26"}
              Multi AV Scanner detection for submitted file
              Source: zkB0qfWSJk.exeReversingLabs: Detection: 65%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
              Machine Learning detection for sample
              Source: zkB0qfWSJk.exeJoe Sandbox ML: detected

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: zkB0qfWSJk.exe PID: 7220, type: MEMORYSTR
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49708 version: TLS 1.0
              Source: zkB0qfWSJk.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: mscorlib.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: System.ni.pdbRSDS source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: mscorlib.ni.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: System.Core.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: System.ni.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: System.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: System.Core.ni.pdb source: WER9F66.tmp.dmp.13.dr

              Networking

              barindex
              Yara detected Generic Downloader
              Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, type: UNPACKEDPE
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49708 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: RegSvcs.exe, 00000009.00000002.1393870851.0000000003085000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003058000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000302F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: RegSvcs.exe, 00000009.00000002.1393870851.0000000003065000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003085000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003058000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000302F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: RegSvcs.exe, 00000009.00000002.1393870851.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: zkB0qfWSJk.exe, 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: RegSvcs.exe, 00000009.00000002.1393870851.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003085000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003058000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000302F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
              Source: RegSvcs.exe, 00000009.00000002.1393870851.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Amcache.hve.13.drString found in binary or memory: http://upx.sf.net
              Source: RegSvcs.exe, 00000009.00000002.1393870851.0000000003085000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003058000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000302F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: zkB0qfWSJk.exe, 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: RegSvcs.exe, 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
              Source: RegSvcs.exe, 00000009.00000002.1393870851.0000000003085000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003058000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000302F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: zkB0qfWSJk.exe PID: 7220, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: zkB0qfWSJk.exe PID: 7220, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: RegSvcs.exe PID: 7376, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: RegSvcs.exe PID: 7376, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeCode function: 7_2_00007FFAAC6C418C7_2_00007FFAAC6C418C
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeCode function: 7_2_00007FFAAC6C87307_2_00007FFAAC6C8730
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeCode function: 7_2_00007FFAAC6D4BC97_2_00007FFAAC6D4BC9
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeCode function: 7_2_00007FFAAC6CBC907_2_00007FFAAC6CBC90
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeCode function: 7_2_00007FFAAC6CC0717_2_00007FFAAC6CC071
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeCode function: 7_2_00007FFAAC6CB43A7_2_00007FFAAC6CB43A
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeCode function: 7_2_00007FFAAC6D4C227_2_00007FFAAC6D4C22
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeCode function: 7_2_00007FFAAC6D44597_2_00007FFAAC6D4459
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeCode function: 7_2_00007FFAAC6C143D7_2_00007FFAAC6C143D
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeCode function: 7_2_00007FFAAC79026B7_2_00007FFAAC79026B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D7B3289_2_02D7B328
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D7C1909_2_02D7C190
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D761089_2_02D76108
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D797E89_2_02D797E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D7C7529_2_02D7C752
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D7C4709_2_02D7C470
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D74AD99_2_02D74AD9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D7CA329_2_02D7CA32
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D7BBD29_2_02D7BBD2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D768809_2_02D76880
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D7BEB09_2_02D7BEB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D7B4F29_2_02D7B4F2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02D735729_2_02D73572
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7220 -s 980
              Source: zkB0qfWSJk.exeStatic PE information: No import functions for PE file found
              Source: zkB0qfWSJk.exe, 00000007.00000002.1467074961.000001AE69530000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAqabukokuloveliqirolo0 vs zkB0qfWSJk.exe
              Source: zkB0qfWSJk.exe, 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs zkB0qfWSJk.exe
              Source: zkB0qfWSJk.exe, 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAqabukokuloveliqirolo0 vs zkB0qfWSJk.exe
              Source: zkB0qfWSJk.exe, 00000007.00000000.1282297947.000001AE67802000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameAzibixune@ vs zkB0qfWSJk.exe
              Source: zkB0qfWSJk.exeBinary or memory string: OriginalFilenameAzibixune@ vs zkB0qfWSJk.exe
              Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: zkB0qfWSJk.exe PID: 7220, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: zkB0qfWSJk.exe PID: 7220, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: RegSvcs.exe PID: 7376, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: RegSvcs.exe PID: 7376, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, --k.csCryptographic APIs: 'TransformFinalBlock'
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, --k.csCryptographic APIs: 'TransformFinalBlock'
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, --k.csCryptographic APIs: 'TransformFinalBlock'
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, --k.csCryptographic APIs: 'TransformFinalBlock'
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@11/6@2/2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regsvcs.exe.logJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7220
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
              Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\384721a9-122b-4bcf-ab65-0f6204d18004Jump to behavior
              Source: zkB0qfWSJk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: zkB0qfWSJk.exeReversingLabs: Detection: 65%
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeFile read: C:\Users\user\Desktop\zkB0qfWSJk.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\zkB0qfWSJk.exe "C:\Users\user\Desktop\zkB0qfWSJk.exe"
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7220 -s 980
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: zkB0qfWSJk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: zkB0qfWSJk.exeStatic file information: File size 1318932 > 1048576
              Source: zkB0qfWSJk.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: zkB0qfWSJk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: mscorlib.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: System.ni.pdbRSDS source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: mscorlib.ni.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: System.Core.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: System.ni.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: System.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER9F66.tmp.dmp.13.dr
              Source: Binary string: System.Core.ni.pdb source: WER9F66.tmp.dmp.13.dr
              Source: zkB0qfWSJk.exeStatic PE information: 0x9B9359DD [Mon Sep 16 18:47:57 2052 UTC]
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeCode function: 7_2_00007FFAAC79026B push esp; retf 4810h7_2_00007FFAAC790312
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: zkB0qfWSJk.exe PID: 7220, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: zkB0qfWSJk.exe, 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: zkB0qfWSJk.exe, 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeMemory allocated: 1AE67B30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeMemory allocated: 1AE69610000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599709Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599587Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597060Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2346Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7460Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599709Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599587Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597060Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593735Jump to behavior
              Source: Amcache.hve.13.drBinary or memory string: VMware
              Source: Amcache.hve.13.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.13.drBinary or memory string: VMware, Inc.
              Source: zkB0qfWSJk.exe, 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Amcache.hve.13.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.13.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.13.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.13.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.13.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: zkB0qfWSJk.exe, 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
              Source: zkB0qfWSJk.exe, 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
              Source: Amcache.hve.13.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: zkB0qfWSJk.exe, 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: zkB0qfWSJk.exe, 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
              Source: Amcache.hve.13.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.13.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.13.drBinary or memory string: vmci.sys
              Source: zkB0qfWSJk.exe, 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
              Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin`
              Source: RegSvcs.exe, 00000009.00000002.1393060083.0000000001097000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
              Source: zkB0qfWSJk.exe, 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: Amcache.hve.13.drBinary or memory string: \driver\vmci,\driver\pci
              Source: zkB0qfWSJk.exe, 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
              Source: zkB0qfWSJk.exe, 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: Amcache.hve.13.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.13.drBinary or memory string: VMware20,1
              Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.13.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.13.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.13.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.13.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.13.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: zkB0qfWSJk.exe, 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
              Source: zkB0qfWSJk.exe, 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
              Source: Amcache.hve.13.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.13.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.13.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.13.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
              Source: Amcache.hve.13.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: zkB0qfWSJk.exe, ---.csReference to suspicious API methods: GetProcAddress(_061B_FBB4_FD41, _0610_FBCC_0613_FBCF_060B_FBBE_06DB)
              Source: zkB0qfWSJk.exe, ---.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)_06D8_FBD1_FD47_FDE3_FBBC_FDDD_06EC_061F.Length, 64u, out var _FBB5_FBC8)
              Source: zkB0qfWSJk.exe, ---.csReference to suspicious API methods: LoadLibrary(_FDD7_0607_0655(_FBCD_065B_06D4_FDCA._FDCA_FDE4_FD40_060A))
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000Jump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000Jump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FB8008Jump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeQueries volume information: C:\Users\user\Desktop\zkB0qfWSJk.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\zkB0qfWSJk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.13.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.13.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.13.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.13.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: Amcache.hve.13.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1393870851.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: zkB0qfWSJk.exe PID: 7220, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7376, type: MEMORYSTR
              Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: zkB0qfWSJk.exe PID: 7220, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7376, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae102019e8.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.zkB0qfWSJk.exe.1ae101e0fa0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1393870851.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: zkB0qfWSJk.exe PID: 7220, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7376, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              DLL Side-Loading              		311
              Process Injection              		1
              Masquerading              		OS Credential Dumping121
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory31
              Virtualization/Sandbox Evasion              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
              Virtualization/Sandbox Evasion              		Security Account Manager1
              Application Window Discovery              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
              Process Injection              		NTDS1
              System Network Configuration Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Obfuscated Files or Information              		Cached Domain Credentials12
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Timestomp              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              zkB0qfWSJk.exe66%ReversingLabsByteCode-MSIL.Spyware.Snakekeylogger
              zkB0qfWSJk.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://upx.sf.net0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://checkip.dyndns.org/0%Avira URL Cloudsafe
              http://checkip.dyndns.org0%Avira URL Cloudsafe
              http://checkip.dyndns.org/q0%Avira URL Cloudsafe
              https://reallyfreegeoip.org/xml/8.46.123.330%Avira URL Cloudsafe
              https://reallyfreegeoip.org0%Avira URL Cloudsafe
              https://reallyfreegeoip.org/xml/8.46.123.33$0%Avira URL Cloudsafe
              http://reallyfreegeoip.org0%Avira URL Cloudsafe
              https://reallyfreegeoip.org/xml/0%Avira URL Cloudsafe
              http://checkip.dyndns.com0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              reallyfreegeoip.org
              		188.114.97.3
              		truetrue
                		unknown
                checkip.dyndns.com
                		193.122.130.0
                		truefalse
                  		unknown
                  checkip.dyndns.org
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://checkip.dyndns.org/false
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/8.46.123.33false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://reallyfreegeoip.orgRegSvcs.exe, 00000009.00000002.1393870851.0000000003085000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003058000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000302F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://upx.sf.netAmcache.hve.13.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.orgRegSvcs.exe, 00000009.00000002.1393870851.0000000003065000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003085000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003058000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000302F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://checkip.dyndns.comRegSvcs.exe, 00000009.00000002.1393870851.0000000003085000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003058000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000302F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/8.46.123.33$RegSvcs.exe, 00000009.00000002.1393870851.0000000003085000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003058000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000302F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000009.00000002.1393870851.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.org/qzkB0qfWSJk.exe, 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://reallyfreegeoip.orgRegSvcs.exe, 00000009.00000002.1393870851.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003085000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003058000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.000000000302F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/zkB0qfWSJk.exe, 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1393870851.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    188.114.97.3
                    		reallyfreegeoip.orgEuropean Union
                    		13335CLOUDFLARENETUStrue
                    193.122.130.0
                    		checkip.dyndns.comUnited States
                    		31898ORACLE-BMC-31898USfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1465289
                    Start date and time:2024-07-01 14:47:07 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 5m 48s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:26
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:zkB0qfWSJk.exe
                    renamed because original name is a hash value
                    Original Sample Name:2facfa5bb80933431ce452627dd71c6c9b5711799dea72732e1617622ec45c54.exe
                    Detection:MAL
                    Classification:mal100.troj.expl.evad.winEXE@11/6@2/2
                    EGA Information:
                    • Successful, ratio: 50%
                    HCA Information:
                    • Successful, ratio: 86%
                    • Number of executed functions: 59
                    • Number of non-executed functions: 3
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 20.42.73.29
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target RegSvcs.exe, PID 7376 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • VT rate limit hit for: zkB0qfWSJk.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    08:48:10API Interceptor61x Sleep call for process: RegSvcs.exe modified
                    08:48:25API Interceptor1x Sleep call for process: WerFault.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    188.114.97.3file.exeGet hashmaliciousFormBookBrowse
                    • www.cavetta.org.mt/yhnb/
                    6Z4Q4bREii.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 000366cm.nyashka.top/phpflowergenerator.php
                    DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                    • www.coinwab.com/efdt/
                    arrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                    • www.evoolihubs.shop/fwdd/?CbPtaF=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&NV=CzkTp6UpmNmd
                    BbaXbvOA7D.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 228282cm.nyashka.top/ExternalimagevmRequestlongpollsqldbLocal.php
                    j05KsN2280.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 640740cm.nyashka.top/providerEternalGameWindowstest.php
                    QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • filetransfer.io/data-package/L69kvhYI/download
                    Techno_PO LV12406-00311.xla.xlsxGet hashmaliciousUnknownBrowse
                    • qr-in.com/cpGHnqq
                    QUOTATION_JUNQTRA031244#U0652PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • filetransfer.io/data-package/Txmfx0A2/download
                    RITS Ref 3379-06.exeGet hashmaliciousFormBookBrowse
                    • www.ad14.fun/az6h/
                    193.122.130.0file.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    LETTER OF AUTHORIZATION.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    PRODUCTS LIST.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    file.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    IMG_0071191023.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                    • checkip.dyndns.org/
                    SDFS0987678900H..Bat.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                    • checkip.dyndns.org/
                    Vessel Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    MV WADI S PARTICULARS.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    MT Sea Gull 9 Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    Invoice Packing List.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    reallyfreegeoip.orgfile.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3
                    scan copy.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    new order.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3
                    LETTER OF AUTHORIZATION.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3
                    checkip.dyndns.comfile.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.130.0
                    scan copy.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.8.169
                    f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.247.73
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.247.73
                    new order.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    LETTER OF AUTHORIZATION.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.8.169
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    CLOUDFLARENETUShttps://m.exactag.com/ai.aspx?tc=d9650035bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Acluelesscollective.com%2Fwinner%2F49479%2F%2FYWRyaWFuLmt1amF3YUAyc2ZnLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                    • 104.17.2.184
                    http://zoom.voipmessage.uk/XTVNEL3Y5b1J3cmNET2VKbmR6bVRsN3V1NmVOY1NGblBJVC9iTE8rdVgxbTVqY2FOZnZ4TUM0ZlFjRHpCR3RWejFXajBVK2d4TW1YbEM3bTdUSWMzV3hrSEFpYnNQL282UDBDM1E0OVhPS1ZjR1JpSzJpRlZZSGVWc3RkVld1K0ZNM2t1YU5qN0hocjRoMWlOeXBkYzlZUXdMYysyWTZaUWtNVVlSWWVCNG1FTnBPWXc3R2RFWjJSbVNEcEw3clVRbTRHVzNRPT0tLUR6bnh4akFBbEUrU3NKL3YtLXRQbTlZaDQ1Tzd4b0NQSFdzTDA4eWc9PQ==Get hashmaliciousUnknownBrowse
                    • 104.18.89.62
                    t4i3QEZnNh.exeGet hashmaliciousAgentTeslaBrowse
                    • 172.67.74.152
                    Wy95YVZ3zt.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 104.26.13.205
                    Agreement for Bmangan 5753.pdfGet hashmaliciousHTMLPhisherBrowse
                    • 188.114.96.3
                    KiOK5LRFEG.exeGet hashmaliciousAgentTeslaBrowse
                    • 104.26.12.205
                    https://skofmygytomybosinthrfm.nl/you/hi/okay/okay/their/kkyag/than/to/us/us/invite/Get hashmaliciousHTMLPhisherBrowse
                    • 172.67.166.58
                    rHHG2h2w8U.exeGet hashmaliciousAgentTeslaBrowse
                    • 172.67.74.152
                    https://m.exactag.com/ai.aspx?tc=d9648951bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Ajeffreyhensley.com%2Fwinner%2F13566%2F%2FZWdpZGlqdXMuem9rYWl0aXNAMnNmZy5jb20=Get hashmaliciousHTMLPhisherBrowse
                    • 104.17.2.184
                    http://links.notification.intuit.com/ls/click?upn=u001.4HBRtPy8j6uXsK2aeX2RzAh5EFPhCIIFV3VEN-2Fx7CtL7yL0rqbEG5To4Yn7gWqQ9aLy0xQjXtfA1aWI51jOBcgZZmdPU7rNXiI9qBQrw0Fh0XMUzwxEuUgv3ZFNQWIem-2BNTPYnrL9k9a1nDRjz4a88WPYyDduqTuKohuiQXsusYwJ-2FidZWWf8oC-2Bke5XZf6maHD-2Fd7ablYFhYAopCg9-2FJ24-2F8yZwA220wlNNRUX0yppVttR34V4P26behAEAgmPnWgi1QdqkcH8GVovfzu4LIw-3D-3DQBy7_5Y9C-2B-2Fzbmi1Z8AZ1P0Xb45Ep-2FzkkH96c1HQoTeKyfF3Cy9GA0JrKF-2FtBKU7Gy7tV6PIIEw2aSpbKuiOE5zUrdfKHijLS1CrX6di2rdCWz3230MnOWYRyIFetWhrSPF9k5LzSphdJmNETjrHElDpdShj1s4ILnQWpWcU1acTiMnif850-2BYV-2F5lXeG2jTC-2BOwApN8qupRmwT8fNNE9PPcwErJLxahBxSpmSq91gTlumLJlQuv6Mi-2FueOgXZeZsKYVaksXeYc4hm3iYcmZyYCYz0c5CytX-2FkcYDgjcEPGcMdE4wdmef7F34ZhNuR1BzXUZca-2BlM-2FSHy6Wcv-2B44fNGLavW0-2FgwmkSe7DWrN2Qxs4-2BbmqEK8zVd2B-2F-2BfhLv7s-2BwUYCFzSfpco2w0S0EkPk2QiaigfgYJrhsDWFQrr8XAjN8LEK9fzOOYMlKBdNBCCovn1-2BQdoVowInLACYcfv7UF18ixzp9yjXcoI2GtVtXTFy0zwL-2BunyW6y6aLD3UTkKp7eGuS-2Fs2l9K233QQTHOgsxIsW5yOnAipuno6Jz4FUupJjvG-2FSd7m5GLY99tPmOlknWYVUdaS4l4nbH7zNFdVoP-2Fmr7J9FoB812uhszre4JhgikLbqFLMCT1av4GEdnKOwpstUkw9rVNgxd2MHPktA30uhIQeOnTGGKgw66UsPvJvw-3DGet hashmaliciousUnknownBrowse
                    • 104.17.27.92
                    ORACLE-BMC-31898USfile.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.130.0
                    f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    new order.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    new order.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    LETTER OF AUTHORIZATION.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.130.0
                    IMG_2007_520073.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                    • 158.101.44.242
                    paediatric neurologist medico legal 68003.jsGet hashmaliciousUnknownBrowse
                    • 158.101.87.136

                    JA3 Fingerprints

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    54328bd36c14bd82ddaa0c04b25ed9adYBzCUPEvkm.exeGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    YBzCUPEvkm.exeGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    file.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    scan copy.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    new order.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    LETTER OF AUTHORIZATION.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_zkB0qfWSJk.exe_4e21ab8a6c52a8fdeb5761423d21df82a93865_bf7f78a4_6293aa2d-2707-4d52-988e-67550924207e\Report.wer

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.989209146359892
                    Encrypted:false
                    SSDEEP:192:3Z6flW6/Ajd3n0UnUtaWh8U/NzuiFKZ24lO8SKe:p6fv/AR30UnUtau80zuiFKY4lO8O
                    MD5:90631DCEA949BB3C76B8AA5D6A6E8558
                    SHA1:F5113E9572100EFCED6C77322603B64E18415DCC
                    SHA-256:5E0456312F207FFC1BE60C80DE8DBD3A87D98090B7B82373B6BF7BF697143147
                    SHA-512:81930820324B68AD293124143B455C8F88A8885AEE4C6EA946FEAAA2140C58BB5F70E0A68F5F40AECA403353B2E030DD80B4D8F9A3E4B3154F0CB0228EAFCD94
                    Malicious:true
                    Reputation:low
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.1.1.6.8.9.6.8.0.0.1.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.1.1.6.9.0.5.2.3.7.6.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.9.3.a.a.2.d.-.2.7.0.7.-.4.d.5.2.-.9.8.8.e.-.6.7.5.5.0.9.2.4.2.0.7.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.a.f.8.a.9.1.-.3.e.f.0.-.4.2.6.6.-.8.9.9.9.-.e.2.3.9.c.0.c.9.9.b.3.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.z.k.B.0.q.f.W.S.J.k...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.z.i.b.i.x.u.n.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.3.4.-.0.0.0.1.-.0.0.1.4.-.f.4.9.2.-.e.d.e.b.b.4.c.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.9.1.4.b.3.6.2.c.4.2.8.2.0.e.5.a.a.f.1.4.a.f.2.9.1.1.b.7.6.1.d.0.0.0.0.0.0.0.0.!.0.0.0.0.9.e.5.1.5.2.2.1.e.9.9.a.f.4.2.2.d.0.e.7.c.7.6.b.3.b.9.0.e.9.a.2.5.9.f.6.7.5.6.2.!.z.k.B.0.q.f.W.S.J.k...e.x.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F66.tmp.dmp

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:Mini DuMP crash report, 16 streams, Mon Jul 1 12:48:09 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):384323
                    Entropy (8bit):3.296744421830435
                    Encrypted:false
                    SSDEEP:3072:fviUMwo0n2mS1CCqg3+vt2bN46qMLLZm8cSBw1/X6XZ4Xy4abZ:3ir0Oqg3QtOFzwoyab
                    MD5:1207C30E76B594F3DD3357A93EF45F99
                    SHA1:7881F98EEAEEB2ED738795AB4140DD6BBD12E51B
                    SHA-256:E85CC1B9D55517212322FDB3EAF36B72C74065642515C19E23773F77EB792CA8
                    SHA-512:10CF96F25E0FBE7E7AFBA3FF433D2390E0F2723AA48E83C8D6F89AE5F520AA5D83D1EAB691F4C8970C816C75C48267BA99F92ABDF5DA0355C6175CFD321D285F
                    Malicious:false
                    Reputation:low
                    Preview:MDMP..a..... ..........f....................................$...........0...........DE...s..........l.......8...........T............(...............6...........8..............................................................................eJ......p9......Lw......................T.......4......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA12C.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8606
                    Entropy (8bit):3.709451939023042
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJPJNQo6YNRApvJzgmfsqrpr289bGSOfyCm:R6lXJhNQo6YrSvNgmfsqZGDf+
                    MD5:B813BFD7E2CC02898B9A971A31D3BFA9
                    SHA1:F5F0E209F0B4503ECF8FCC235F55ADAEBC51A044
                    SHA-256:8571F6BC8FD9EDC154FA6675968FDF14CA56CF2E03B356508CF4EF4E1E66DD28
                    SHA-512:0A9345EBA0D8E64921E7A7F7DB36F237965F2C4322697579EA5687D35EC279DC7936DF2C21C6F7489E7FEF2F9038B749849232CF4E8FF2C8F88FDD81250949F7
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.2.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA18B.tmp.xml

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4761
                    Entropy (8bit):4.526060859681194
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zs5Jg771I9DirVWpW8VYrPYm8M4Ji70ESAFayq85x0yL8uXuhY5hDFd:uIjfLI7UiI7VOSJi70Ho0jOuhY5hDFd
                    MD5:6D065DAD60B1319DC57B79F421F084F7
                    SHA1:6E1BC6D5540E2C00362F2AD65740E1F735509E82
                    SHA-256:E8F210434EA501D823EC3879721C2D4B0586878BA2199CB9C2B1785AA439C891
                    SHA-512:4533980E80C9F199FA7BEF332ACD86661A76C378D7B95321FDA43970C98A9C304082C54125D68CBF5EA7BA3C642D0C58FAD147A6257BAC96BA0BE6E859F7EE50
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="391910" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regsvcs.exe.log

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1039
                    Entropy (8bit):5.353332853270839
                    Encrypted:false
                    SSDEEP:24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
                    MD5:A4AF0F36EC4E0C69DC0F860C891E8BBE
                    SHA1:28DD81A1EDDF71CBCBF86DA986E047279EF097CD
                    SHA-256:B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
                    SHA-512:A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

                    C:\Windows\appcompat\Programs\Amcache.hve

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:MS Windows registry file, NT/2000 or above
                    Category:dropped
                    Size (bytes):1835008
                    Entropy (8bit):4.417043387547886
                    Encrypted:false
                    SSDEEP:6144:rcifpi6ceLPL9skLmb0mgSWSPtaJG8nAgex285i2MMhA20X4WABlGuNa5+:Qi58gSWIZBk2MM6AFBIo
                    MD5:2F9A38AF25030F49F76ADB115AE8DE49
                    SHA1:63076330AD905B9209AB8C574D7383F75B53BF82
                    SHA-256:325F7F793F59585567C47EDC8013E229E72F3B2C317BDD0184147465BC6DB38C
                    SHA-512:920A1A383F371B20B061E702511CDBE1C7B41EBA363A3F5709715709A9F7C1A5410252424FE6227B178CEA2520B82BA9250056964739E431FF7D384074499EA2
                    Malicious:false
                    Reputation:low
                    Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..4..................................................................................................................................................................................................................................................................................................................................................".........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    Static File Info

                    General

                    File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):5.592579048212426
                    TrID:
                    • Win64 Executable GUI (202006/5) 92.65%
                    • Win64 Executable (generic) (12005/4) 5.51%
                    • Generic Win/DOS Executable (2004/3) 0.92%
                    • DOS Executable Generic (2002/1) 0.92%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:zkB0qfWSJk.exe
                    File size:1'318'932 bytes
                    MD5:7e3694a4d525aecb407e7dfee160afee
                    SHA1:9e515221e99af422d0e7c76b3b90e9a259f67562
                    SHA256:2facfa5bb80933431ce452627dd71c6c9b5711799dea72732e1617622ec45c54
                    SHA512:1eb559e7d6cdb090fd16bb36aee866b156341ca95955313a73e1187cf7fbfbd7f5aea2d0c2a6b67394e94218899b79d977dddcdf1dcf587c45b6cf9a1388a7eb
                    SSDEEP:12288:o+WbFkpXD7n1FDoPNUCobwMtFTUhqxDd1XKm:o+4i3nnDAUCobwQ3h1R
                    TLSH:82551240B98B6D83FE5A0432D9E078F161FE9E63B6F585AFCFD68E18900527DA050E74
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Y............"...0.D:............... ....@...... ....................................`................................

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x400000
                    Entrypoint Section:
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x9B9359DD [Mon Sep 16 18:47:57 2052 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:

                    Entrypoint Preview

                    Instruction
                    dec ebp
                    pop edx
                    nop
                    add byte ptr [ebx], al
                    add byte ptr [eax], al
                    add byte ptr [eax+eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x8f4.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x5a280x1c.text
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x3a440x3c0033a5de703d7da7e92e4605088fabb465False0.6321614583333334data6.106458819653683IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0x60000x8f40xa004988a2533468bd4c2924e268064d13eaFalse0.292578125data4.410476500252751IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_VERSION0x60b80x328data0.4962871287128713
                    RT_VERSION0x63e00x328dataEnglishUnited States0.4975247524752475
                    RT_MANIFEST0x67080x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 1, 2024 14:48:10.591850042 CEST4970780192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:10.596870899 CEST8049707193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:10.596945047 CEST4970780192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:10.597244024 CEST4970780192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:10.602057934 CEST8049707193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:11.065618992 CEST8049707193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:11.070789099 CEST4970780192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:11.075675964 CEST8049707193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:11.173079014 CEST8049707193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:11.223628998 CEST4970780192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:11.266712904 CEST49708443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:11.266738892 CEST44349708188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:11.266813993 CEST49708443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:11.276556969 CEST49708443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:11.276567936 CEST44349708188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:11.759496927 CEST44349708188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:11.759593964 CEST49708443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:11.773340940 CEST49708443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:11.773365974 CEST44349708188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:11.773772955 CEST44349708188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:11.816663980 CEST49708443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:11.839236975 CEST49708443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:11.884500980 CEST44349708188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:11.952279091 CEST44349708188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:11.952373981 CEST44349708188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:11.952438116 CEST49708443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:11.958723068 CEST49708443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:11.964791059 CEST4970780192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:11.969803095 CEST8049707193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:12.095835924 CEST8049707193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:12.101397038 CEST49709443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:12.101442099 CEST44349709188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:12.101521015 CEST49709443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:12.102035046 CEST49709443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:12.102049112 CEST44349709188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:12.144774914 CEST4970780192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:12.570405960 CEST44349709188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:12.573571920 CEST49709443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:12.573615074 CEST44349709188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:12.706211090 CEST44349709188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:12.706554890 CEST44349709188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:12.706623077 CEST49709443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:12.707163095 CEST49709443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:12.714468002 CEST4970780192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:12.716641903 CEST4971180192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:12.720134020 CEST8049707193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:12.720273972 CEST4970780192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:12.721580982 CEST8049711193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:12.721673012 CEST4971180192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:12.722074032 CEST4971180192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:12.726850033 CEST8049711193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:13.187371969 CEST8049711193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:13.188999891 CEST49713443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:13.189053059 CEST44349713188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:13.189214945 CEST49713443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:13.189577103 CEST49713443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:13.189590931 CEST44349713188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:13.238569021 CEST4971180192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:13.668471098 CEST44349713188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:13.678589106 CEST49713443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:13.678618908 CEST44349713188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:13.811358929 CEST44349713188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:13.811472893 CEST44349713188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:13.811594009 CEST49713443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:13.811983109 CEST49713443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:13.816720009 CEST4971180192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:13.818139076 CEST4971580192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:13.821705103 CEST8049711193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:13.821763039 CEST4971180192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:13.822935104 CEST8049715193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:13.823075056 CEST4971580192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:13.823156118 CEST4971580192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:13.827944040 CEST8049715193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:14.308888912 CEST8049715193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:14.310689926 CEST49718443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:14.310728073 CEST44349718188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:14.310971975 CEST49718443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:14.311253071 CEST49718443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:14.311268091 CEST44349718188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:14.363574982 CEST4971580192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:14.802592993 CEST44349718188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:14.841674089 CEST49718443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:14.841698885 CEST44349718188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:14.963596106 CEST44349718188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:14.963682890 CEST44349718188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:14.963757038 CEST49718443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:14.964423895 CEST49718443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:15.034662962 CEST4971980192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:15.039571047 CEST8049719193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:15.039659023 CEST4971980192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:15.039767027 CEST4971980192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:15.044509888 CEST8049719193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:15.518539906 CEST8049719193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:15.520138979 CEST49720443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:15.520184994 CEST44349720188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:15.520262003 CEST49720443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:15.520581007 CEST49720443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:15.520592928 CEST44349720188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:15.566658020 CEST4971980192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:15.992094040 CEST44349720188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:15.997410059 CEST49720443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:15.997437954 CEST44349720188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:16.123816967 CEST44349720188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:16.123903990 CEST44349720188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:16.123996019 CEST49720443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:16.124536037 CEST49720443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:16.127999067 CEST4971980192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:16.129076958 CEST4972180192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:16.133400917 CEST8049719193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:16.133934975 CEST8049721193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:16.134001970 CEST4971980192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:16.134036064 CEST4972180192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:16.134155035 CEST4972180192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:16.138916016 CEST8049721193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:16.619695902 CEST8049721193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:16.621247053 CEST49722443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:16.621290922 CEST44349722188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:16.621438026 CEST49722443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:16.621730089 CEST49722443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:16.621741056 CEST44349722188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:16.660427094 CEST4972180192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:17.110516071 CEST44349722188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:17.112235069 CEST49722443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:17.112252951 CEST44349722188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:17.247061968 CEST44349722188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:17.247185946 CEST44349722188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:17.247248888 CEST49722443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:17.247687101 CEST49722443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:17.251252890 CEST4972180192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:17.252335072 CEST4972380192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:17.256352901 CEST8049721193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:17.256428957 CEST4972180192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:17.257107019 CEST8049723193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:17.257188082 CEST4972380192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:17.257314920 CEST4972380192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:17.262042999 CEST8049723193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:17.723016024 CEST8049723193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:17.724467039 CEST49725443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:17.724522114 CEST44349725188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:17.724597931 CEST49725443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:17.724947929 CEST49725443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:17.724961042 CEST44349725188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:17.769793987 CEST4972380192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:18.196253061 CEST44349725188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:18.197982073 CEST49725443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:18.197994947 CEST44349725188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:18.328349113 CEST44349725188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:18.328454018 CEST44349725188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:18.328604937 CEST49725443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:18.329078913 CEST49725443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:18.332593918 CEST4972380192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:18.333944082 CEST4972680192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:18.337651014 CEST8049723193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:18.337745905 CEST4972380192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:18.338737011 CEST8049726193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:18.338807106 CEST4972680192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:18.338881016 CEST4972680192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:18.343606949 CEST8049726193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:18.805651903 CEST8049726193.122.130.0192.168.2.7
                    Jul 1, 2024 14:48:18.807632923 CEST49727443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:18.807662010 CEST44349727188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:18.807735920 CEST49727443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:18.808005095 CEST49727443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:18.808020115 CEST44349727188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:18.847915888 CEST4972680192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:19.270138979 CEST44349727188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:19.291003942 CEST49727443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:19.291026115 CEST44349727188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:19.550152063 CEST44349727188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:19.550256968 CEST44349727188.114.97.3192.168.2.7
                    Jul 1, 2024 14:48:19.550362110 CEST49727443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:19.551203012 CEST49727443192.168.2.7188.114.97.3
                    Jul 1, 2024 14:48:19.740675926 CEST4971580192.168.2.7193.122.130.0
                    Jul 1, 2024 14:48:19.741255045 CEST4972680192.168.2.7193.122.130.0

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 1, 2024 14:48:10.569858074 CEST5228853192.168.2.71.1.1.1
                    Jul 1, 2024 14:48:10.582469940 CEST53522881.1.1.1192.168.2.7
                    Jul 1, 2024 14:48:11.256110907 CEST5349453192.168.2.71.1.1.1
                    Jul 1, 2024 14:48:11.265809059 CEST53534941.1.1.1192.168.2.7

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Jul 1, 2024 14:48:10.569858074 CEST192.168.2.71.1.1.10x10c9Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 14:48:11.256110907 CEST192.168.2.71.1.1.10x499aStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jul 1, 2024 14:48:10.582469940 CEST1.1.1.1192.168.2.70x10c9No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 14:48:10.582469940 CEST1.1.1.1192.168.2.70x10c9No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 14:48:10.582469940 CEST1.1.1.1192.168.2.70x10c9No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 14:48:10.582469940 CEST1.1.1.1192.168.2.70x10c9No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 14:48:10.582469940 CEST1.1.1.1192.168.2.70x10c9No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 14:48:10.582469940 CEST1.1.1.1192.168.2.70x10c9No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 14:48:11.265809059 CEST1.1.1.1192.168.2.70x499aNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 14:48:11.265809059 CEST1.1.1.1192.168.2.70x499aNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • reallyfreegeoip.org
                    • checkip.dyndns.org

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.749707193.122.130.0807376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 14:48:10.597244024 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Jul 1, 2024 14:48:11.065618992 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:11 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: f42198bbd0c01fa209ff9f479acb6316
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Jul 1, 2024 14:48:11.070789099 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Jul 1, 2024 14:48:11.173079014 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:11 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: c25faceea28e159e0dbbde8300e8c060
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Jul 1, 2024 14:48:11.964791059 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Jul 1, 2024 14:48:12.095835924 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:12 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 89c8ae84ab4b45c2032ee908847c1d0e
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.749711193.122.130.0807376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 14:48:12.722074032 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Jul 1, 2024 14:48:13.187371969 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:13 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: cbe1775e67f824909e5abe3b3c130b45
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.749715193.122.130.0807376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 14:48:13.823156118 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Jul 1, 2024 14:48:14.308888912 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:14 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 177d75d00c68ce5c9ab71f3718b567bb
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.749719193.122.130.0807376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 14:48:15.039767027 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Jul 1, 2024 14:48:15.518539906 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:15 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 63f9ffda4284904e42009a25a131e1af
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.749721193.122.130.0807376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 14:48:16.134155035 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Jul 1, 2024 14:48:16.619695902 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:16 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 40be2ff6f9e51ae8f18773e458818eb7
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.749723193.122.130.0807376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 14:48:17.257314920 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Jul 1, 2024 14:48:17.723016024 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:17 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 0d41388f30d3bacb4c26aaa8f7506276
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.749726193.122.130.0807376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 14:48:18.338881016 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Jul 1, 2024 14:48:18.805651903 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:18 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 042a4b48bdd4d1f673b13f3855f444c6
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    HTTPS Proxied Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.749708188.114.97.34437376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 12:48:11 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-07-01 12:48:11 UTC714INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:11 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 80655
                    Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FWAqUW%2FSlPhr%2BJTTwUSJvAoXZJ2kPPMnXIROrBYHGpw6N4Lf%2FvnXvqeDo%2F5yK1D%2BW06H8ZVDUx8%2Ff7J97xkOQdMo1eisWmf5YJrNwzOyJ3cW5a9Apqg1gAZWll7rvV%2BNlLqF3DqS"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c6824a4955423d-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 12:48:11 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 12:48:11 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.749709188.114.97.34437376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 12:48:12 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-07-01 12:48:12 UTC708INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:12 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 80656
                    Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4VYu%2Bj0g%2BzvemMrYCnEv7vPzKXC0esV3kLhPVERijCB2whe2W8G9dpbsKYZc2GTC1V3PXwb55z4%2B7GichcLdXz42kSYNDtGs7oULf4gsMlT8gl%2ByQp1LqdkoS8BVqhAB5bmeLW1Q"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c6824f09a043d7-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 12:48:12 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 12:48:12 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.749713188.114.97.34437376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 12:48:13 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-07-01 12:48:13 UTC710INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:13 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 80657
                    Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=65hFs4Ztgkd%2B2pbB9wlflceK5xedDjB48aaUPlQceJaa5gJQ6x0OFY78TEPrHHgnO012RFqlV9sBdJI%2Bd78eoQ7RSVpQYQ0ziiYxRbOxxrYnRHIaTtAv%2Fr3pIfdwEH7cA%2B68%2FoOE"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c68255fca35e62-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 12:48:13 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 12:48:13 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.749718188.114.97.34437376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 12:48:14 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-07-01 12:48:14 UTC714INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:14 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 80658
                    Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UmxshWS14uPUhlJk6wMv97cr8s9%2Bb3BbA8X60cPfeTzdALJjna%2B%2FJM2%2FxsmSxkQkD0fGPTPNX3za0bVitKrSqqbVcuuACY48MGo%2FMaE3XwZbBgsq%2BLl2WdzotYic7geGHDH%2BF0qH"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c6825d185f8c27-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 12:48:14 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 12:48:14 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.749720188.114.97.34437376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 12:48:15 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-07-01 12:48:16 UTC704INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:16 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 80660
                    Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8XHORhrPR5XKHm97Aczzou8BwYwPkGVjVkBetE4IJhhMhiXI0WaQKPARybmQTP%2FZLxTnejWTxkb3ULo37eS%2Fa9Of8ATL152wOFLbsRxPWqEmrI52N0Gguky4SLNYxSV63eDg2Qvv"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c68264687e5e60-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 12:48:16 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 12:48:16 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.749722188.114.97.34437376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 12:48:17 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-07-01 12:48:17 UTC712INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:17 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 80661
                    Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IBSUMzfc3B4h2qtYH%2F3uu8PA%2FZgb57KTDtrtqH3D9jCJ0zk4E5%2Fp%2FCF7fK5BObcC45iLchLXFfWSVb5ZWwUxR7usrYbOA2Z2NI0wimJUslTTBD8GBSL%2FhviEEviCVCPegR6%2FcGdQ"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c6826b694d8cab-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 12:48:17 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 12:48:17 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.749725188.114.97.34437376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 12:48:18 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-07-01 12:48:18 UTC708INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:18 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 80662
                    Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4mXNgSR8IWkjvxyq5tD6pgUtuyuaPpWp44ETHiQFBfOtTyCVHv1bEAqMq3VCpRCdagrlEFE09rEqolZ90DtCxjiq%2F2jVksE2LCR%2FVo7jpQJ%2Bl%2F3cgYvd4E8q0UrCu5f2dKt457Cd"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c68272297e420b-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 12:48:18 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 12:48:18 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    7192.168.2.749727188.114.97.34437376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 12:48:19 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-07-01 12:48:19 UTC712INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 12:48:19 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 80663
                    Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4avI8PiqP6%2FZKgNJNVAR7dgk%2F2B4yrncdgkt8a8vDkTQMh4efAzsH0pfhnpDnkFPeUg6xsnV9onAjifbDhe%2FmFnZ%2F9T9IkZQ0gjNjl1BlA9YzuGnX8jBjK%2B%2BoknINRUBb9D7fkIc"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c68279091342e2-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 12:48:19 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 12:48:19 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:7
                    Start time:08:48:07
                    Start date:01/07/2024
                    Path:C:\Users\user\Desktop\zkB0qfWSJk.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\Desktop\zkB0qfWSJk.exe"
                    Imagebase:0x1ae67800000
                    File size:1'318'932 bytes
                    MD5 hash:7E3694A4D525AECB407E7DFEE160AFEE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000007.00000002.1463545156.000001AE1014B000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.1462697047.000001AE0003B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:9
                    Start time:08:48:08
                    Start date:01/07/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                    Imagebase:0xc60000
                    File size:45'984 bytes
                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000009.00000002.1392970059.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.1393870851.0000000003094000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.1393870851.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:10
                    Start time:08:48:08
                    Start date:01/07/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    Wow64 process (32bit):
                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                    Imagebase:
                    File size:45'984 bytes
                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:13
                    Start time:08:48:09
                    Start date:01/07/2024
                    Path:C:\Windows\System32\WerFault.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\WerFault.exe -u -p 7220 -s 980
                    Imagebase:0x7ff76f550000
                    File size:570'736 bytes
                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:17
                    Start time:08:48:18
                    Start date:01/07/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                    Imagebase:0x410000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:18
                    Start time:08:48:18
                    Start date:01/07/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff75da10000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:19
                    Start time:08:48:18
                    Start date:01/07/2024
                    Path:C:\Windows\SysWOW64\choice.exe
                    Wow64 process (32bit):true
                    Commandline:choice /C Y /N /D Y /T 3
                    Imagebase:0x9c0000
                    File size:28'160 bytes
                    MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:13.1%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:8
                      Total number of Limit Nodes:1
                      execution_graph 11785 7ffaac6c314a 11787 7ffaac6c3159 11785->11787 11786 7ffaac6c3138 11787->11786 11788 7ffaac6c31eb VirtualProtect 11787->11788 11789 7ffaac6c3231 11788->11789 11781 7ffaac6c982d 11782 7ffaac6c983f VirtualProtect 11781->11782 11784 7ffaac6d81e1 11782->11784

                      Executed Functions

                      Function 00007FFAAC79026B Relevance: 9.6, Strings: 6, Instructions: 2115COMMON
                      Download Yara Rule

                      Control-flow Graph

                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.1468660098.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffaac790000_zkB0qfWSJk.jbxd
                      Similarity
                      • API ID:
                      • String ID: pi$A$3J$3J$3J$3J
                      • API String ID: 0-2470729399
                      • Opcode ID: 90c5f0ce5d0867fd6803263c8c258ebe32a7d47ee4bf27b6e44705e4b36fa0e6
                      • Instruction ID: 8ff8968b66fa9fc9c7ea2c43825d14ede982944eb76c4e70f70cf14f39128146
                      • Opcode Fuzzy Hash: 90c5f0ce5d0867fd6803263c8c258ebe32a7d47ee4bf27b6e44705e4b36fa0e6
                      • Instruction Fuzzy Hash: FBD2E27291E7C58FF796DB6888555A47FF0EF57300B0845FAD08DCB092DA2EA84AC781
                      Function 00007FFAAC6C8730 Relevance: 8.5, Strings: 6, Instructions: 1015COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 59 7ffaac6c8730-7ffaac6cd35e 61 7ffaac6cd377 59->61 62 7ffaac6cd360-7ffaac6cd375 59->62 63 7ffaac6cd379-7ffaac6cd37e 61->63 62->63 65 7ffaac6cd3ae-7ffaac6cd3c5 63->65 66 7ffaac6cd380-7ffaac6cd3a2 63->66 69 7ffaac6cd3f6-7ffaac6cd404 65->69 70 7ffaac6cd3c7-7ffaac6cd3ee 65->70 66->65 75 7ffaac6cd3a4-7ffaac6cd3a9 66->75 73 7ffaac6cd406-7ffaac6cd40b 69->73 74 7ffaac6cd46e-7ffaac6cd4a5 69->74 87 7ffaac6cd443-7ffaac6cd448 70->87 88 7ffaac6cd3f0-7ffaac6cd3f4 70->88 78 7ffaac6cd44a 73->78 79 7ffaac6cd40d-7ffaac6cd441 73->79 91 7ffaac6cd4a7-7ffaac6cd4ee 74->91 92 7ffaac6cd4ef-7ffaac6cd509 74->92 80 7ffaac6cd45c-7ffaac6cd464 75->80 82 7ffaac6cd44c-7ffaac6cd451 78->82 79->82 85 7ffaac6cd453-7ffaac6cd458 82->85 86 7ffaac6cd45a 82->86 85->80 86->80 87->80 88->69 88->70 91->92 96 7ffaac6cd50b-7ffaac6cd519 92->96 97 7ffaac6cd55c-7ffaac6cd57e 92->97 99 7ffaac6cd532 96->99 100 7ffaac6cd51b-7ffaac6cd530 96->100 101 7ffaac6cd5d3-7ffaac6cd5de 97->101 102 7ffaac6cd534-7ffaac6cd539 99->102 100->102 103 7ffaac6cd580-7ffaac6cd586 101->103 104 7ffaac6cd5e0-7ffaac6cd5f7 101->104 106 7ffaac6cd636-7ffaac6cd656 102->106 107 7ffaac6cd53f-7ffaac6cd54e 102->107 108 7ffaac6cdb22-7ffaac6cdb3a 103->108 109 7ffaac6cd58c-7ffaac6cd5d0 call 7ffaac6c8720 103->109 116 7ffaac6cd626-7ffaac6cd631 call 7ffaac6c90c8 104->116 117 7ffaac6cd5f9-7ffaac6cd61f call 7ffaac6c8720 104->117 113 7ffaac6cd6a7-7ffaac6cd6b2 106->113 114 7ffaac6cd558-7ffaac6cd559 107->114 115 7ffaac6cd550-7ffaac6cd556 107->115 125 7ffaac6cdb84-7ffaac6cdba6 call 7ffaac6c4810 108->125 126 7ffaac6cdb3c-7ffaac6cdb77 call 7ffaac6c9288 108->126 109->101 118 7ffaac6cd658-7ffaac6cd65e 113->118 119 7ffaac6cd6b4-7ffaac6cd6c3 113->119 122 7ffaac6cd55b 114->122 115->122 137 7ffaac6cd76c-7ffaac6cd780 116->137 117->116 118->108 127 7ffaac6cd664-7ffaac6cd685 call 7ffaac6c8720 118->127 135 7ffaac6cd6d9 119->135 136 7ffaac6cd6c5-7ffaac6cd6d7 119->136 122->97 168 7ffaac6cdba8-7ffaac6cdbb1 125->168 164 7ffaac6cdb79-7ffaac6cdb82 126->164 165 7ffaac6cdbc1-7ffaac6cdbcb 126->165 148 7ffaac6cd68a-7ffaac6cd6a4 127->148 143 7ffaac6cd6db-7ffaac6cd6e0 135->143 136->143 144 7ffaac6cd782-7ffaac6cd788 137->144 145 7ffaac6cd7d0-7ffaac6cd7df 137->145 143->137 150 7ffaac6cd6e6-7ffaac6cd708 call 7ffaac6c8720 143->150 151 7ffaac6cd7a7-7ffaac6cd7bf 144->151 152 7ffaac6cd78a-7ffaac6cd7a5 144->152 158 7ffaac6cd7e1-7ffaac6cd7ea 145->158 159 7ffaac6cd7ec 145->159 148->113 179 7ffaac6cd736-7ffaac6cd737 150->179 180 7ffaac6cd70a-7ffaac6cd734 150->180 156 7ffaac6cd7c8-7ffaac6cd7cb 151->156 152->151 166 7ffaac6cd978-7ffaac6cd98d 156->166 167 7ffaac6cd7ee-7ffaac6cd7f3 158->167 159->167 164->125 169 7ffaac6cdbd6-7ffaac6cdbe7 165->169 170 7ffaac6cdbcd-7ffaac6cdbd5 165->170 181 7ffaac6cd98f-7ffaac6cd9cb 166->181 182 7ffaac6cd9cd 166->182 173 7ffaac6cd7f9-7ffaac6cd7fc 167->173 174 7ffaac6cdaff-7ffaac6cdb00 167->174 175 7ffaac6cdbb3-7ffaac6cdbbb 168->175 176 7ffaac6cdbbc-7ffaac6cdbbf 168->176 177 7ffaac6cdbe9-7ffaac6cdbf1 169->177 178 7ffaac6cdbf2-7ffaac6cdbfa 169->178 170->169 184 7ffaac6cd844 173->184 185 7ffaac6cd7fe-7ffaac6cd81b call 7ffaac6c0248 173->185 183 7ffaac6cdb03-7ffaac6cdb12 174->183 175->176 176->165 177->178 178->168 187 7ffaac6cdbfc-7ffaac6cdbff 178->187 190 7ffaac6cd739-7ffaac6cd740 179->190 180->190 191 7ffaac6cd9cf-7ffaac6cd9d4 181->191 182->191 195 7ffaac6cdb13-7ffaac6cdb1b 183->195 189 7ffaac6cd846-7ffaac6cd84b 184->189 185->184 217 7ffaac6cd81d-7ffaac6cd842 185->217 196 7ffaac6cd851-7ffaac6cd85d 189->196 197 7ffaac6cd94c-7ffaac6cd96f 189->197 190->137 198 7ffaac6cd742-7ffaac6cd767 call 7ffaac6c8748 190->198 199 7ffaac6cd9d6-7ffaac6cda2d call 7ffaac6c4748 191->199 200 7ffaac6cda44-7ffaac6cda58 191->200 195->108 196->108 205 7ffaac6cd863-7ffaac6cd872 196->205 216 7ffaac6cd975-7ffaac6cd976 197->216 220 7ffaac6cdaee-7ffaac6cdafe 198->220 240 7ffaac6cda9e-7ffaac6cdaa4 199->240 241 7ffaac6cda2f-7ffaac6cda33 199->241 202 7ffaac6cdaa7-7ffaac6cdab3 call 7ffaac6c7050 200->202 203 7ffaac6cda5a-7ffaac6cda85 call 7ffaac6c4748 200->203 222 7ffaac6cdab4-7ffaac6cdacc 202->222 229 7ffaac6cda8a-7ffaac6cda92 203->229 212 7ffaac6cd874-7ffaac6cd883 205->212 213 7ffaac6cd885-7ffaac6cd892 call 7ffaac6c0248 205->213 230 7ffaac6cd898-7ffaac6cd89e 212->230 213->230 216->166 217->189 222->108 223 7ffaac6cdace-7ffaac6cdade 222->223 227 7ffaac6cdae0-7ffaac6cdaeb 223->227 227->220 229->183 232 7ffaac6cda94-7ffaac6cda97 229->232 233 7ffaac6cd8d3-7ffaac6cd8d8 230->233 234 7ffaac6cd8a0-7ffaac6cd8cd 230->234 232->195 239 7ffaac6cda99 232->239 233->108 238 7ffaac6cd8de-7ffaac6cd8fe 233->238 234->233 246 7ffaac6cd912-7ffaac6cd942 call 7ffaac6c9368 238->246 247 7ffaac6cd900-7ffaac6cd90f 238->247 239->227 243 7ffaac6cda9b 239->243 240->202 241->222 245 7ffaac6cda35-7ffaac6cda3f 241->245 243->240 245->200 251 7ffaac6cd947-7ffaac6cd94a 246->251 247->246 251->166
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.1468302429.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffaac6c0000_zkB0qfWSJk.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0#%$0#%$0#%$0#%$0#%$x!%
                      • API String ID: 0-2501406988
                      • Opcode ID: d1f9f185adb15c118e51694e7cce1dfcca35defb671cadc2ff89ea62ca389417
                      • Instruction ID: 08a7096c0cf65630e612bcc2eaec6b108dea0d19b064903a32f8c62c6459e4b4
                      • Opcode Fuzzy Hash: d1f9f185adb15c118e51694e7cce1dfcca35defb671cadc2ff89ea62ca389417
                      • Instruction Fuzzy Hash: 9E62D630A1D9098FEBAAEB2CC455A7977E1FF5A300B1451BDE04EC7292DE24EC56C781
                      Function 00007FFAAC6C418C Relevance: 3.0, Strings: 2, Instructions: 467COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 780 7ffaac6c418c-7ffaac6c4193 781 7ffaac6c4195-7ffaac6c419d 780->781 782 7ffaac6c419e-7ffaac6c41ee 780->782 781->782 784 7ffaac6c41f4-7ffaac6c4256 782->784 785 7ffaac6c4466-7ffaac6c4499 782->785 810 7ffaac6c42a5-7ffaac6c42ae 784->810 811 7ffaac6c4258-7ffaac6c4264 call 7ffaac6c36b8 784->811 793 7ffaac6c44a3-7ffaac6c44be 785->793 794 7ffaac6c449b-7ffaac6c44a2 785->794 797 7ffaac6c44f2-7ffaac6c451a 793->797 798 7ffaac6c44c0-7ffaac6c44c2 793->798 794->793 808 7ffaac6c44c8 797->808 809 7ffaac6c451c-7ffaac6c4521 797->809 799 7ffaac6c44c4-7ffaac6c44c7 call 7ffaac6c3788 798->799 800 7ffaac6c44cc-7ffaac6c44d2 798->800 799->808 804 7ffaac6c44d4-7ffaac6c44e0 800->804 805 7ffaac6c44e1-7ffaac6c44f1 800->805 804->805 808->800 816 7ffaac6c4524-7ffaac6c455a 809->816 817 7ffaac6c4292-7ffaac6c42a4 call 7ffaac6c39e8 call 7ffaac6c39f0 810->817 818 7ffaac6c42b0-7ffaac6c42d9 810->818 819 7ffaac6c4269-7ffaac6c4280 811->819 816->816 821 7ffaac6c455c 816->821 817->810 828 7ffaac6c42e0 818->828 826 7ffaac6c42e2-7ffaac6c42f5 819->826 829 7ffaac6c4282-7ffaac6c4290 call 7ffaac6c39e8 826->829 830 7ffaac6c42f7-7ffaac6c42f9 826->830 828->826 829->817 832 7ffaac6c4352-7ffaac6c4365 830->832 834 7ffaac6c4367-7ffaac6c4369 832->834 835 7ffaac6c42fb-7ffaac6c4350 call 7ffaac6c39e8 * 2 call 7ffaac6c0208 832->835 837 7ffaac6c440e-7ffaac6c4417 834->837 835->832 839 7ffaac6c4418-7ffaac6c4421 837->839 841 7ffaac6c4427-7ffaac6c4465 839->841 842 7ffaac6c436e-7ffaac6c43a0 call 7ffaac6c39e8 839->842 849 7ffaac6c43a2-7ffaac6c43b8 842->849 850 7ffaac6c43ba-7ffaac6c43bb 842->850 851 7ffaac6c43bd-7ffaac6c43c8 849->851 850->851 851->839 855 7ffaac6c43cb-7ffaac6c4407 call 7ffaac6c1988 call 7ffaac6c3790 851->855 859 7ffaac6c440c 855->859 859->837
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.1468302429.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffaac6c0000_zkB0qfWSJk.jbxd
                      Similarity
                      • API ID:
                      • String ID: fish$M_H
                      • API String ID: 0-2822614467
                      • Opcode ID: 2126655f845ad17210e91defb7bd4a99f19fab702ebc9b828647356cf01742c9
                      • Instruction ID: e7935a658e5bf8f7be98f40352f08d76e2ebce383eae0982a26f61684c17ed44
                      • Opcode Fuzzy Hash: 2126655f845ad17210e91defb7bd4a99f19fab702ebc9b828647356cf01742c9
                      • Instruction Fuzzy Hash: 68D10831A1DB4A4FF75EEB2888565B577E1EF96210B0492BED48FC3192DD18E80687C1
                      Function 00007FFAAC6CBC90 Relevance: 1.7, Strings: 1, Instructions: 442COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1137 7ffaac6cbc90-7ffaac6cbcae 1139 7ffaac6cbd1f-7ffaac6cbd2c 1137->1139 1140 7ffaac6cbcb0-7ffaac6cbcb5 1137->1140 1143 7ffaac6cbd76-7ffaac6cbdb3 call 7ffaac6cb150 * 2 call 7ffaac6c7050 1139->1143 1144 7ffaac6cbd2e-7ffaac6cbd35 1139->1144 1141 7ffaac6cbd36-7ffaac6cbd4c 1140->1141 1142 7ffaac6cbcb7-7ffaac6cbcd8 call 7ffaac6c73f0 1140->1142 1147 7ffaac6cbd4d-7ffaac6cbd59 1141->1147 1151 7ffaac6cbcfa-7ffaac6cbd0b 1142->1151 1152 7ffaac6cbcda-7ffaac6cbcf9 1142->1152 1155 7ffaac6cbf8c-7ffaac6cbf9f 1143->1155 1162 7ffaac6cbdb9-7ffaac6cbdd4 1143->1162 1144->1141 1154 7ffaac6cbd5f-7ffaac6cbd75 1147->1154 1147->1155 1151->1147 1160 7ffaac6cbd0d-7ffaac6cbd1d 1151->1160 1154->1143 1163 7ffaac6cbfe1-7ffaac6cbfec 1155->1163 1164 7ffaac6cbfa1-7ffaac6cbfaa 1155->1164 1160->1139 1167 7ffaac6cbdd6-7ffaac6cbdd9 1162->1167 1168 7ffaac6cbe2d-7ffaac6cbe37 1162->1168 1165 7ffaac6cbfee-7ffaac6cbffa 1163->1165 1166 7ffaac6cbffd-7ffaac6cc01c 1163->1166 1169 7ffaac6cbf58-7ffaac6cbf60 1164->1169 1170 7ffaac6cbfac-7ffaac6cbfcb 1164->1170 1165->1166 1172 7ffaac6cc01e-7ffaac6cc02a 1166->1172 1173 7ffaac6cc02d-7ffaac6cc046 1166->1173 1175 7ffaac6cbe5a-7ffaac6cbe6a 1167->1175 1176 7ffaac6cbddb-7ffaac6cbdfb 1167->1176 1171 7ffaac6cbeaf-7ffaac6cbeb7 1168->1171 1169->1155 1174 7ffaac6cbf62-7ffaac6cbf8b 1169->1174 1184 7ffaac6cbfd9-7ffaac6cbfdf 1170->1184 1185 7ffaac6cbfcd-7ffaac6cbfd6 1170->1185 1181 7ffaac6cbf28-7ffaac6cbf3b 1171->1181 1182 7ffaac6cbeb9-7ffaac6cbebe 1171->1182 1172->1173 1179 7ffaac6cc056-7ffaac6cc06b 1173->1179 1180 7ffaac6cc048-7ffaac6cc053 1173->1180 1187 7ffaac6cbeeb-7ffaac6cbf04 1175->1187 1188 7ffaac6cbe6c-7ffaac6cbe94 1175->1188 1190 7ffaac6cbe39-7ffaac6cbe4a 1176->1190 1191 7ffaac6cbdfd-7ffaac6cbe2c 1176->1191 1180->1179 1186 7ffaac6cbf3f-7ffaac6cbf4b call 7ffaac6c3a00 1181->1186 1182->1186 1189 7ffaac6cbec0-7ffaac6cbee8 call 7ffaac6c73f0 1182->1189 1184->1163 1185->1184 1200 7ffaac6cbf50-7ffaac6cbf54 1186->1200 1187->1155 1203 7ffaac6cbf0a-7ffaac6cbf27 1187->1203 1188->1171 1189->1187 1198 7ffaac6cbe99-7ffaac6cbeab 1190->1198 1199 7ffaac6cbe4c-7ffaac6cbe58 1190->1199 1191->1168 1198->1171 1199->1175 1204 7ffaac6cbe96-7ffaac6cbe97 1199->1204 1200->1169 1203->1181 1204->1198
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.1468302429.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffaac6c0000_zkB0qfWSJk.jbxd
                      Similarity
                      • API ID:
                      • String ID: H
                      • API String ID: 0-2852464175
                      • Opcode ID: 4155a47607d9e159a3668c5d686221198e4f68fc13c0356ccc5cd34e1fe217c2
                      • Instruction ID: 232448869d6c923c0215bbd97683530bffb2b2b9cca398991ca061f7c744eac8
                      • Opcode Fuzzy Hash: 4155a47607d9e159a3668c5d686221198e4f68fc13c0356ccc5cd34e1fe217c2
                      • Instruction Fuzzy Hash: D3D16B3091DB858FF31ECB2984951B5B7E1FFD6301B1496BEE4CAC3291DA28E44A87C1
                      Function 00007FFAAC6CC071 Relevance: 1.5, Instructions: 1485COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1468302429.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffaac6c0000_zkB0qfWSJk.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9854adcd4868964b7805d5a24e03aad753eb3f26dbe59db95b0bc19aa871bb72
                      • Instruction ID: 6dafe87cd5fbfc482a8db97f901aa51b8eb19d58830cd9a58b4ba18b8dd0fb51
                      • Opcode Fuzzy Hash: 9854adcd4868964b7805d5a24e03aad753eb3f26dbe59db95b0bc19aa871bb72
                      • Instruction Fuzzy Hash: 0DA2273051DB4A8FE35ADF28C4944B5B7E1FF96301B1495BED48EC7296DA38E84AC780
                      Function 00007FFAAC6CB43A Relevance: .7, Instructions: 668COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1468302429.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffaac6c0000_zkB0qfWSJk.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 741d33615fabcab1a01c248a362f64812ad97d0d0836f0ae6c5bbfbb968f3f34
                      • Instruction ID: 2aa2b8ce4558d9794092079ebc791ebbd7dfc794909b4d39a15c013544740559
                      • Opcode Fuzzy Hash: 741d33615fabcab1a01c248a362f64812ad97d0d0836f0ae6c5bbfbb968f3f34
                      • Instruction Fuzzy Hash: 5B22573190EA858FF74BDB2584950B5B7E1EFC2301B1495BED48EC7296DE28E84AC7C1
                      Function 00007FFAAC6D4BC9 Relevance: .2, Instructions: 166COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1468302429.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffaac6c0000_zkB0qfWSJk.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34dfd37d4a7232d81a3889be13c85e415bad79381a4e6baed91404b4a3f39142
                      • Instruction ID: 96e86531174f215f5c4a07f33f40b52836eca8086bc6b22167d72232bfb50354
                      • Opcode Fuzzy Hash: 34dfd37d4a7232d81a3889be13c85e415bad79381a4e6baed91404b4a3f39142
                      • Instruction Fuzzy Hash: 27415D3260D7494FE31E9B349C161B57BA5E783320B15C2BBD08AC71A7DD28980683D2
                      Function 00007FFAAC6D4C22 Relevance: .1, Instructions: 147COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1468302429.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffaac6c0000_zkB0qfWSJk.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1ff6d6b227ec2d0da4430f32b0af6edd7d9cd2d639e80e605b5aee4fff9a4778
                      • Instruction ID: 803c23b290d7dbee58ff37adc6008b78d26371e740eeb17aaf9394e302941382
                      • Opcode Fuzzy Hash: 1ff6d6b227ec2d0da4430f32b0af6edd7d9cd2d639e80e605b5aee4fff9a4778
                      • Instruction Fuzzy Hash: E2414D3190D7494FE31B9B3488151B67BA6EB83310B15C2BBD08AC71A7DD389D0A87D2
                      Function 00007FFAAC6C314A Relevance: 1.7, APIs: 1, Instructions: 153memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1205 7ffaac6c314a-7ffaac6c3157 1206 7ffaac6c3162-7ffaac6c3173 1205->1206 1207 7ffaac6c3159-7ffaac6c3161 1205->1207 1208 7ffaac6c3175-7ffaac6c317d 1206->1208 1209 7ffaac6c317e-7ffaac6c318a 1206->1209 1207->1206 1208->1209 1210 7ffaac6c3138-7ffaac6c3146 1209->1210 1211 7ffaac6c318c-7ffaac6c322f VirtualProtect 1209->1211 1215 7ffaac6c3237-7ffaac6c325f 1211->1215 1216 7ffaac6c3231 1211->1216 1216->1215
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.1468302429.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffaac6c0000_zkB0qfWSJk.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: 2b7aff366c2973a0ac8eea1951503411ad08ad10ceb86b98162bbfdac39650d8
                      • Instruction ID: ecfd8f6df392f0df48bdb29d672fd8a2260a4619fbae4eececb5859b001c0b53
                      • Opcode Fuzzy Hash: 2b7aff366c2973a0ac8eea1951503411ad08ad10ceb86b98162bbfdac39650d8
                      • Instruction Fuzzy Hash: 5941393190C7888FE71ADBA8A8065F97BF0EB57321F0442AFD089C35A2DB656856C791
                      Function 00007FFAAC6C982D Relevance: 1.6, APIs: 1, Instructions: 125memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1351 7ffaac6c982d-7ffaac6d81df VirtualProtect 1356 7ffaac6d81e7-7ffaac6d820f 1351->1356 1357 7ffaac6d81e1 1351->1357 1357->1356
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.1468302429.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffaac6c0000_zkB0qfWSJk.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: cd8508ae3b9bdc02dda9177587149615e24e9cb96971094b01d210e909cdd9b7
                      • Instruction ID: 04328eee8f7b4973c164b78eba5912435ba6f96434c4fb8d9d0d58927ebcc4ca
                      • Opcode Fuzzy Hash: cd8508ae3b9bdc02dda9177587149615e24e9cb96971094b01d210e909cdd9b7
                      • Instruction Fuzzy Hash: 82310571A0CA5C8FEB18DF5DD8496F97BE1EB96321F04426FE04AD3252CB60A816C791
                      Function 00007FFAAC7910C9 Relevance: .2, Instructions: 153COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1468660098.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffaac790000_zkB0qfWSJk.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 88286e8274679b7104bde308aa75f3994e4b98a43d9ec15802bbfaa26b30db18
                      • Instruction ID: ef5adc9336f75377e7159fee7b5647f4295ecac3e058ce80fedc98fc0e2d5811
                      • Opcode Fuzzy Hash: 88286e8274679b7104bde308aa75f3994e4b98a43d9ec15802bbfaa26b30db18
                      • Instruction Fuzzy Hash: 6641F83590D7898FFB86DB28C8955A87FF0FF56300B0581AAD44EC7192DA2AE859C7C1

                      Non-executed Functions

                      Function 00007FFAAC6D4459 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.1468302429.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffaac6c0000_zkB0qfWSJk.jbxd
                      Similarity
                      • API ID:
                      • String ID: gfff
                      • API String ID: 0-1553575800
                      • Opcode ID: 664427bf7bd7fc08626732c00f2502bcdef076eedbde2d69802f0472788e8970
                      • Instruction ID: 728c97a50ddca8b1bfc705a079344c31b2f0848854ed0af7a643ba0a1daf7b1e
                      • Opcode Fuzzy Hash: 664427bf7bd7fc08626732c00f2502bcdef076eedbde2d69802f0472788e8970
                      • Instruction Fuzzy Hash: DB512C2260E7854FD31FDA7C5C551B17BE5EB8722070982BFD086CB2E7E918AC0B8391
                      Function 00007FFAAC6C143D Relevance: .2, Instructions: 171COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1468302429.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffaac6c0000_zkB0qfWSJk.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b008427d535f0db35e62d0201ac76924d1c1497683b8f9336ed32f4266629a7c
                      • Instruction ID: 8f2427ac9ec4f222764184051a327dac6c39ee6d20a5b84aadcc4d750990114d
                      • Opcode Fuzzy Hash: b008427d535f0db35e62d0201ac76924d1c1497683b8f9336ed32f4266629a7c
                      • Instruction Fuzzy Hash: F251B05595E7C28BE717D77848A00717FA09F03225B59F5FBC0CE8A097D90DAC4AC396

                      Executed Functions

                      Function 02D7B328 Relevance: 6.6, Strings: 5, Instructions: 349COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                      • API String ID: 0-3801734409
                      • Opcode ID: d322e12bdbef824d62ca1a552bb702d3ab910f48d0c1d161b3e77ca845b39986
                      • Instruction ID: 675f8a3397b27cd8de7f2dd091a4ec7e1f58077437076622dbfe87e7ae6fd861
                      • Opcode Fuzzy Hash: d322e12bdbef824d62ca1a552bb702d3ab910f48d0c1d161b3e77ca845b39986
                      • Instruction Fuzzy Hash: 03E1E975E00618CFDB14DFA9C984A9DBBB1FF48318F15806AE819AB361D735AD41CF50
                      Function 02D7C190 Relevance: 6.4, Strings: 5, Instructions: 191COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                      • API String ID: 0-3801734409
                      • Opcode ID: b53c4d7fdc387f734bafe275b91d2072e2800fc665700aad15c3defb646b4402
                      • Instruction ID: be022b0c16c9c3a67d2337419a3c713dbe0a1eadf5859a70a1560b915b46d4cc
                      • Opcode Fuzzy Hash: b53c4d7fdc387f734bafe275b91d2072e2800fc665700aad15c3defb646b4402
                      • Instruction Fuzzy Hash: D581B574E002189FEB14DFA9D984A9DBBF2BF89300F14C06AE859AB354EB349D41CF54
                      Function 02D7C752 Relevance: 6.4, Strings: 5, Instructions: 191COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                      • API String ID: 0-3801734409
                      • Opcode ID: 843b240183e081be7266cf67383da7f28f7bc6c10c43e213254368ca6fdb8d4b
                      • Instruction ID: df17ae69fec7806f0fe7108079d8658bbb02b85f21d4ab9d82a17cbdcd1d2343
                      • Opcode Fuzzy Hash: 843b240183e081be7266cf67383da7f28f7bc6c10c43e213254368ca6fdb8d4b
                      • Instruction Fuzzy Hash: DE81A474E10218DFDB54DFAAD984A9DBBF2BF88301F14806AE449AB355EB349D41CF10
                      Function 02D74AD9 Relevance: 6.4, Strings: 5, Instructions: 187COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                      • API String ID: 0-3801734409
                      • Opcode ID: 127a56cf19eac2d639d40aab1aee026e5e332e5881976c8f2788673777e30913
                      • Instruction ID: 91c2dd26a012bbb583e47b3d7a3664f1625e286e2d73b2f9e85390f88fedd453
                      • Opcode Fuzzy Hash: 127a56cf19eac2d639d40aab1aee026e5e332e5881976c8f2788673777e30913
                      • Instruction Fuzzy Hash: 27818374E00218DFDB54DFAAD984A9DBBF2BF88300F148069E819AB355EB349D45CF11
                      Function 02D7BEB0 Relevance: 6.4, Strings: 5, Instructions: 187COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                      • API String ID: 0-3801734409
                      • Opcode ID: bf8cc85a94a1eb3f6dffc7590023ceeeb5d9919bbb5e6a6e5c0ab41d6ea82ada
                      • Instruction ID: 052a46fb9afdb4276f96c1f59b9107aede87fdf09e3fa28e1bbe7c995cb7c115
                      • Opcode Fuzzy Hash: bf8cc85a94a1eb3f6dffc7590023ceeeb5d9919bbb5e6a6e5c0ab41d6ea82ada
                      • Instruction Fuzzy Hash: 6581A474E002189FDB14DFAAD984A9DBBF2BF88304F14C06AE819AB355EB359D45CF50
                      Function 02D7C470 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                      • API String ID: 0-3801734409
                      • Opcode ID: 31b0e0ed106f62474fea4c1a968068f3c82dcaa23b14db043e07ba3e16382e7e
                      • Instruction ID: e90b93580cc1e7fd91137321faa1960ebb45f851364c7812275b4a4ff95fb478
                      • Opcode Fuzzy Hash: 31b0e0ed106f62474fea4c1a968068f3c82dcaa23b14db043e07ba3e16382e7e
                      • Instruction Fuzzy Hash: D281A474E00258DFDB14DFA9D984A9DBBF2BF88304F14906AD409AB365EB359D41CF10
                      Function 02D7CA32 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                      • API String ID: 0-3801734409
                      • Opcode ID: 269270c84f8e8e2f478dae7d40da2087a71869e974dd50388d868a45a3dbcdec
                      • Instruction ID: 6712a9f7e8393e839724118f9bc5bd9b2727f6cc289bf8e58eb38f199c3e466e
                      • Opcode Fuzzy Hash: 269270c84f8e8e2f478dae7d40da2087a71869e974dd50388d868a45a3dbcdec
                      • Instruction Fuzzy Hash: 8E818474E102189FDB14DFA9D984A9DBBF2BF88300F14C06AE859AB365EB349D45CF50
                      Function 02D7BBD2 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                      • API String ID: 0-3801734409
                      • Opcode ID: 9a83b8724c6e1d46bbdc8404a727d6d5a56102b3d71a58ffa40138b5921cbd4d
                      • Instruction ID: b23c6f721c0a1aa3e9e8c53722675c43e22b3e5524a5287f992c0fd0144bab68
                      • Opcode Fuzzy Hash: 9a83b8724c6e1d46bbdc8404a727d6d5a56102b3d71a58ffa40138b5921cbd4d
                      • Instruction Fuzzy Hash: A2819374E00218DFEB14DFAAD984A9DBBF2BF89304F14806AE449AB355EB349D45CF50
                      Function 02D76880 Relevance: 5.3, Strings: 4, Instructions: 336COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: (oq$(oq$,q$,q
                      • API String ID: 0-620556200
                      • Opcode ID: 39f274cb0ed1787a162b4919e8a735ea2240bde5dd2bbd83b6e6046688f9ad51
                      • Instruction ID: 0301ad0d0dbdeba58008fa22f315a83fefd9cc254290fe6641d9e2a2e90f6d3e
                      • Opcode Fuzzy Hash: 39f274cb0ed1787a162b4919e8a735ea2240bde5dd2bbd83b6e6046688f9ad51
                      • Instruction Fuzzy Hash: A1D10970A006199FDB14CFA9C984AADBBFAFF89344F158065E415AB365F738EC41CB90
                      Function 02D7B4F2 Relevance: 3.9, Strings: 3, Instructions: 152COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0oEp$PHq$PHq
                      • API String ID: 0-1671885247
                      • Opcode ID: 310f39e11fcdcb82e561c13c23ebb8066d07521c1c1bd134597fb397559f72cb
                      • Instruction ID: 409d5992f50ce7edf5015faa6fa7081a02fb00e7e9bc6a0c042ebd826ab88add
                      • Opcode Fuzzy Hash: 310f39e11fcdcb82e561c13c23ebb8066d07521c1c1bd134597fb397559f72cb
                      • Instruction Fuzzy Hash: 0E61B574E006189FEB18DFAAD944A9DBBF2FF88304F14C06AE519AB365EB345941CF50
                      Function 02D797E8 Relevance: 3.4, Strings: 2, Instructions: 892COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: (oq$4'q
                      • API String ID: 0-1336004174
                      • Opcode ID: a84e1084435dfe4c2835697cdf2308fc34f09cf234ec84474d7b97be6470cd6f
                      • Instruction ID: 66e1059e5eb5766a8912e91dcc35a28ff65497e349f1b7bfb45fdc3add1fb348
                      • Opcode Fuzzy Hash: a84e1084435dfe4c2835697cdf2308fc34f09cf234ec84474d7b97be6470cd6f
                      • Instruction Fuzzy Hash: 72828D75A00209DFDB19CF68C994AAEBBF2FF88304F158559E8059B3A5E738ED41CB50
                      Function 02D76108 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: (oq$Hq
                      • API String ID: 0-2917151738
                      • Opcode ID: 6763c4c69d065c21ac23bdeb9bb240c0bf681b2cc1ebff48f4cc7712a8db5b25
                      • Instruction ID: 290c92d939436882f658403c439368f912f6ebca7e37fe2f2510092c896b3406
                      • Opcode Fuzzy Hash: 6763c4c69d065c21ac23bdeb9bb240c0bf681b2cc1ebff48f4cc7712a8db5b25
                      • Instruction Fuzzy Hash: 7E126D70A006199FDB18DF69C854BAEBBF6BF88304F148569E50ADB395EB34DC41CB90
                      Function 02D73572 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: Xq$$q
                      • API String ID: 0-855381642
                      • Opcode ID: c958f8a2d13378f2d8cd95dc7c0cc4f65b18287f8f3f5e418aee96216e7d5edc
                      • Instruction ID: 72c3150db687c915456a9d2be5b5bf9a650bedc8fb7f8c4aba286c69fb91bab6
                      • Opcode Fuzzy Hash: c958f8a2d13378f2d8cd95dc7c0cc4f65b18287f8f3f5e418aee96216e7d5edc
                      • Instruction Fuzzy Hash: 7B028134F052588FDB58DFB9D8906AEBBB2BF88300B148569E846EB354DF359C02DB51
                      Function 02D76E58 Relevance: 10.5, Strings: 8, Instructions: 475COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
                      • API String ID: 0-2212926057
                      • Opcode ID: 4a4457a8ddbf5761ef97f864be4ebb5e1c319dd60833a96a6c7f3ded22af6755
                      • Instruction ID: 44ca1d1c02d675e051d4a3a69271d1f5d9dd6f1e57bde9f167125bf3d5cab306
                      • Opcode Fuzzy Hash: 4a4457a8ddbf5761ef97f864be4ebb5e1c319dd60833a96a6c7f3ded22af6755
                      • Instruction Fuzzy Hash: 2F123B30A006099FDB24DF69D884A9EBBF2FF48318F158959E855DB3A1E734ED41CB50
                      Function 02D777F0 Relevance: 3.2, Strings: 2, Instructions: 690COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: $q$$q
                      • API String ID: 0-3126353813
                      • Opcode ID: 3be7f4e00ed9ac2d0c5158b5435fb89209bc3786ecbf15c0fb4a64613b1f7098
                      • Instruction ID: ff1789cd916d16558faded1782d7ffffe445cecf765beeb84b00f30ec5aa69cf
                      • Opcode Fuzzy Hash: 3be7f4e00ed9ac2d0c5158b5435fb89209bc3786ecbf15c0fb4a64613b1f7098
                      • Instruction Fuzzy Hash: C552E434E002198FEB24DBA4C854BEEBB72EF98301F1081A9D10AAB754DF395D46EF55
                      Function 02D787E9 Relevance: 2.8, Strings: 2, Instructions: 328COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q
                      • API String ID: 0-1467158625
                      • Opcode ID: 2b7ee8753617f3e245fec28665e76ac271804dcca19ed49b8bff705f65fde62e
                      • Instruction ID: fcc23a45825f328a28c34d30cf68ce43df58ef08afbdefbc151111f733830839
                      • Opcode Fuzzy Hash: 2b7ee8753617f3e245fec28665e76ac271804dcca19ed49b8bff705f65fde62e
                      • Instruction Fuzzy Hash: 0DB16C707541018FEB199B29C95DB393696EF85604F19406AE542CB3A1FF2DCC42FB52
                      Function 02D756A8 Relevance: 2.8, Strings: 2, Instructions: 323COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: Hq$Hq
                      • API String ID: 0-925789375
                      • Opcode ID: 85f507c236cc2dccd2bf1958f60d49fc8ec24dec8684bc58d91f35731d4396f5
                      • Instruction ID: b73d6dd8ec6a172420f28a577f62628f0ec59eea36eded155dc196b286426ca2
                      • Opcode Fuzzy Hash: 85f507c236cc2dccd2bf1958f60d49fc8ec24dec8684bc58d91f35731d4396f5
                      • Instruction Fuzzy Hash: AEB1D5347042158FDB299F78E854B6E7BA2BF88314F548529E946CB390EF78DC41CB92
                      Function 02D75C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: ,q$,q
                      • API String ID: 0-1667412543
                      • Opcode ID: 6d7c3c5774b87eb4cedb7a50abe377b23438b6eaaa29fb789e6ee7578142eb84
                      • Instruction ID: 798bf05d2d586ca81f360fddb7384628b0b64c84e028a424404545d5a998b9f9
                      • Opcode Fuzzy Hash: 6d7c3c5774b87eb4cedb7a50abe377b23438b6eaaa29fb789e6ee7578142eb84
                      • Instruction Fuzzy Hash: 37818235B00505CFDB14DF69D488AAAB7F2FF89214B948169D806DB364EB39EC41CF92
                      Function 02D73428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: Xq$Xq
                      • API String ID: 0-1556399337
                      • Opcode ID: 66e70a7ade47d7a031785fd95e35e6a1f1b89b1afd2ffdd445bdf5d9285bdc6d
                      • Instruction ID: d8bd8042e990e7467734ba01653e8ad89f7833c393647e581bb3e22843445d2b
                      • Opcode Fuzzy Hash: 66e70a7ade47d7a031785fd95e35e6a1f1b89b1afd2ffdd445bdf5d9285bdc6d
                      • Instruction Fuzzy Hash: 7231D571B003258BDFAD5AAA589537E659AABC4218F18407AE846C3380EF7CCC01E661
                      Function 02D70C8F Relevance: 1.7, Strings: 1, Instructions: 403COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: LRq
                      • API String ID: 0-3187445251
                      • Opcode ID: 50c9a558de8fe44cf048e119da07cca08ef99e06533441875d05ec8f934cd6ab
                      • Instruction ID: 48e1abd87a8aeaba09aea9ee8ff6361ae862ffc1eaa3e1e99d0708bc2b33c20e
                      • Opcode Fuzzy Hash: 50c9a558de8fe44cf048e119da07cca08ef99e06533441875d05ec8f934cd6ab
                      • Instruction Fuzzy Hash: CD22FB38E0122ACFCB54EF65E885A9DBBB2FF88301F1086A5D509AB358DB306D55CF51
                      Function 02D70CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: LRq
                      • API String ID: 0-3187445251
                      • Opcode ID: 892a0317461735fefb03a2ab69a390ad21f074a61de5a050c481567897c2f6e1
                      • Instruction ID: d3b32b640c868dbddc7d2ee3a2835cda88020e1a4a6cfddd5a190e67e2862119
                      • Opcode Fuzzy Hash: 892a0317461735fefb03a2ab69a390ad21f074a61de5a050c481567897c2f6e1
                      • Instruction Fuzzy Hash: F822FB38E0122ACFCB54EF65E885A9DBBB2FF88301F1086A5D509AB358DB306D55CF51
                      Function 02D7A650 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: (oq
                      • API String ID: 0-1999159160
                      • Opcode ID: d429c189213d71640dfacbcd5eaf906d8dd06063bb18e2292f1d83f2102ac839
                      • Instruction ID: fa9c421579fc7030da3d9e99335900694a1ec27f1ab1031b8a636e4aa273cb48
                      • Opcode Fuzzy Hash: d429c189213d71640dfacbcd5eaf906d8dd06063bb18e2292f1d83f2102ac839
                      • Instruction Fuzzy Hash: 3241D039B102048FDB199B68D9557AE7BB7BFCC211F148469E906EB390DF349C02CB94
                      Function 02D7A818 Relevance: .4, Instructions: 407COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 28dd9131a091ed3ff4e6b36fa3486bd369263d3dc843a5ffea52043bdfb7d745
                      • Instruction ID: 23b174519adb87d3bb6bf70682e6eda1634ebba12fbde3b9652b6d9d0f652873
                      • Opcode Fuzzy Hash: 28dd9131a091ed3ff4e6b36fa3486bd369263d3dc843a5ffea52043bdfb7d745
                      • Instruction Fuzzy Hash: 61F12C75A402158FCB04CF6DC984AAEBBF6FF88314B1A8059E515AB361DB39EC41CF50
                      Function 02D77438 Relevance: .2, Instructions: 201COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6ab6592b023e77228f51be0bf9fffc55db8225b8d639b64bb2280b470717c80e
                      • Instruction ID: 8aadded0e55a4954f57aa9d38beced3319035f454d590132f0ac1c264a2e7d14
                      • Opcode Fuzzy Hash: 6ab6592b023e77228f51be0bf9fffc55db8225b8d639b64bb2280b470717c80e
                      • Instruction Fuzzy Hash: 23712E347002458FEB55DF28C898AAEBBE6EF49705F1544A9E506CB3B1EB78DC41CB90
                      Function 02D7CEC7 Relevance: .2, Instructions: 172COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 184223bb13922e41459e124ba00856fd3bcb0b12e97fe4e38494890b8e6a798e
                      • Instruction ID: 0a9c79ca3dafaaf33f818de68e77eb88deb0a7397be34372e90791448cace232
                      • Opcode Fuzzy Hash: 184223bb13922e41459e124ba00856fd3bcb0b12e97fe4e38494890b8e6a798e
                      • Instruction Fuzzy Hash: D251BE38AB13469FD3192F60A5AE1AABFA8FB0F727B406D04F10E85019CF306449DF21
                      Function 02D7CED8 Relevance: .2, Instructions: 167COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b3af3d4ac482d643b231801ddffa7b63838ac01817f6c29c19c24dd5fb9e0b03
                      • Instruction ID: f850278c8084195b2f79121708dccdb1ee64bc0d24dcdfb6fd208fcd4e8c9583
                      • Opcode Fuzzy Hash: b3af3d4ac482d643b231801ddffa7b63838ac01817f6c29c19c24dd5fb9e0b03
                      • Instruction Fuzzy Hash: 8D519E38AB13478FD3182F60A5AE1AABFA8FB1F727B406D04F10E850198F306445DF14
                      Function 02D7CD10 Relevance: .1, Instructions: 138COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9c2f20a48a65c67078837aea80f5bedcfc9a7289bf2266c97894eecfc16b66c2
                      • Instruction ID: e60848e440318048443382fdb3e1d668b65b4058398bec7bb5f81681d74b709a
                      • Opcode Fuzzy Hash: 9c2f20a48a65c67078837aea80f5bedcfc9a7289bf2266c97894eecfc16b66c2
                      • Instruction Fuzzy Hash: F0519574E01208DFDB44DFA9D584A9DBBF2FF89300F24816AE415AB364DB31A901CF54
                      Function 02D73908 Relevance: .1, Instructions: 134COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 12b34ff2def21ff6303f2efbcc70471e178ccece7ced949f5fd1d3fc657474d2
                      • Instruction ID: 977e329d9c5543fbdd0d5502c22e53eb5b7b44b35e4c85641520e0ee00db84f9
                      • Opcode Fuzzy Hash: 12b34ff2def21ff6303f2efbcc70471e178ccece7ced949f5fd1d3fc657474d2
                      • Instruction Fuzzy Hash: CB519374E01218DFCB48DFA9E49099DBBB2FF89300B209569E905AB364DB35AC41CF50
                      Function 02D79A63 Relevance: .1, Instructions: 124COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fb0acfc8b25de9c1f27ba5fd9ea7ce0600504584fc1ac623f8a87343e54c82da
                      • Instruction ID: d1e5b25adc9f15f4cfc46020a9604a480f5488e8240873e38b7484758d29ec2c
                      • Opcode Fuzzy Hash: fb0acfc8b25de9c1f27ba5fd9ea7ce0600504584fc1ac623f8a87343e54c82da
                      • Instruction Fuzzy Hash: C7416D32A04249DFCF15CFA4C854BDDBBB2AF49314F048156E8559B395E738ED51CBA0
                      Function 02D76730 Relevance: .1, Instructions: 113COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9a2cf09f091d86bba078bde660b5e1a8777ebf013ed3ab2a65793706a1e9ad98
                      • Instruction ID: 3302b163d2e60dd44642f91b5d6e80047404f7bae88a04008f1c381535765f37
                      • Opcode Fuzzy Hash: 9a2cf09f091d86bba078bde660b5e1a8777ebf013ed3ab2a65793706a1e9ad98
                      • Instruction Fuzzy Hash: 4841CF30A00208DFDB148F65C904BAEBBBAEB84344F14842EE9559B381EB78DC55CFA1
                      Function 02D7D117 Relevance: .1, Instructions: 107COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d134a3a9070832b2bb58e8536e74cc39a5a0afe034a26d78ea1cf865cea375bb
                      • Instruction ID: 8a1096a0790731ba3167207cf71e11f1549a05d91269c44bf32a6da508d52429
                      • Opcode Fuzzy Hash: d134a3a9070832b2bb58e8536e74cc39a5a0afe034a26d78ea1cf865cea375bb
                      • Instruction Fuzzy Hash: DB31F335C612099FCB14AFA8E85D6EDBB75FF4B312F00AA15E409B7204EB34665ACF50
                      Function 02D74DC8 Relevance: .1, Instructions: 101COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a8f113552a2681ce7e6223dc28c98631ef0db07c0a9d3f51074414c2992e412e
                      • Instruction ID: 2e5943ad1028e62bc98bffb1d4f8e20def6d704a35671982aa58d8444e5f9636
                      • Opcode Fuzzy Hash: a8f113552a2681ce7e6223dc28c98631ef0db07c0a9d3f51074414c2992e412e
                      • Instruction Fuzzy Hash: E9318F7564014A9FCB069F69D894AAF7BB7FB88215F108425F9158B350DB38CC62DFA0
                      Function 02D776E0 Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 08c803dc9fea4778dc90cf23034fc5a4945803c9e8e74f81cecf443ed58b46e2
                      • Instruction ID: e01ac8e6d484b63b56d3cd8d99aa459e3197dd8da0e8fdb777d3fa90367ca706
                      • Opcode Fuzzy Hash: 08c803dc9fea4778dc90cf23034fc5a4945803c9e8e74f81cecf443ed58b46e2
                      • Instruction Fuzzy Hash: B82180387502104BFB2817398894B7AA697AFC4759F244879E906CB798FF79CC42D7C0
                      Function 02D7A809 Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c7700f5a4449fbff142ac71913c8537c10d93ab8ee959ff9d9d8b647ae5e362e
                      • Instruction ID: 4626631c163c12f5f004345b44e0c59ffbf17b399241e202d30c03200db16221
                      • Opcode Fuzzy Hash: c7700f5a4449fbff142ac71913c8537c10d93ab8ee959ff9d9d8b647ae5e362e
                      • Instruction Fuzzy Hash: D431AF70A001198FCB04CF6DC884AAFBBF2FF88354B658119E515973A5DB34EC12CB90
                      Function 02D72060 Relevance: .1, Instructions: 77COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 199bfbbbc8461f198fb516167e3c5f62e607c6855fd83a200791d7bb9b5f2909
                      • Instruction ID: 03c9082035420711fb32f448ff5d9af000640eb50a3efdc25dc2fb4f00e7faa4
                      • Opcode Fuzzy Hash: 199bfbbbc8461f198fb516167e3c5f62e607c6855fd83a200791d7bb9b5f2909
                      • Instruction Fuzzy Hash: 9D21F935A002559FCB14DF28C844BAE3BA5EB88350F61C519DD098B348EB36EE42CBD1
                      Function 02D75A70 Relevance: .1, Instructions: 74COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f43b58976c732339001a799588364030ef3e1aa4dada9d8f7fb35d529a99dbe
                      • Instruction ID: 68b58fd0f6c74c4914e693456b2c7cf3033bbf7b6d56b4bea7413f4ee4a66943
                      • Opcode Fuzzy Hash: 3f43b58976c732339001a799588364030ef3e1aa4dada9d8f7fb35d529a99dbe
                      • Instruction Fuzzy Hash: D821DE353456118FD7299B29E49462BB7A2FBC8711B548179EC06CB344DF34EC06CBC1
                      Function 02D71F08 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: efdb3dd4b1ebebe3cf11382f31fde25a747e59aef48325a855e36561d34cd01b
                      • Instruction ID: 0f6f3ba4b05685515f0f71236acf68ac2c8a6bff723e1fdb621547c98529cc49
                      • Opcode Fuzzy Hash: efdb3dd4b1ebebe3cf11382f31fde25a747e59aef48325a855e36561d34cd01b
                      • Instruction Fuzzy Hash: D8217CB4C046098FCB15EFA8D4856EDBFF0FF49310F50426AD445A7354EB349A4ACBA2
                      Function 02D7D218 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 209580db00ee1cee8f15ef3cb6e86d6d30f7b32a7d4b18ae932352b53e9fd64c
                      • Instruction ID: 2526f96543b2dac9622255680f5c81619fec4f18a641c6860c5e45efe2ddc8cc
                      • Opcode Fuzzy Hash: 209580db00ee1cee8f15ef3cb6e86d6d30f7b32a7d4b18ae932352b53e9fd64c
                      • Instruction Fuzzy Hash: CC212774A012089BDF08DFB4E851AEDB7B2FB8A301F10A569D50173394DB359C41CA25
                      Function 02D74DB9 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f7fa2c6dfc5a33cf3f815e2723a385280ccf3a6b4c35123cc81a1c8c088042b6
                      • Instruction ID: e952838ccbcaba790a9da7ffcc6a8191f25d3bf40c40af25fb49dfb82874301c
                      • Opcode Fuzzy Hash: f7fa2c6dfc5a33cf3f815e2723a385280ccf3a6b4c35123cc81a1c8c088042b6
                      • Instruction Fuzzy Hash: A021E4717801099FDB059F69E444BAB3BB2FB88328F108425F8498B380DB38CC52CBE0
                      Function 02D7D228 Relevance: .1, Instructions: 64COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ea0d33ebf355a768fe02398dc8b9c607108b27b43b7cc524aa40df3c54df3c6d
                      • Instruction ID: 58b59e5399a3e0b17ebd2bd2112cf157675aae30e216d7cfbd4228b514f769d8
                      • Opcode Fuzzy Hash: ea0d33ebf355a768fe02398dc8b9c607108b27b43b7cc524aa40df3c54df3c6d
                      • Instruction Fuzzy Hash: DE21E434A022188BDF08DFB5E851AEEB7B2FB8A301F10A529D51573394DB39AD41CF65
                      Function 02D71F61 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 495811a018f6eb90f9e150570d96d95fa2271cf9cc75568b4dcfce2a4e4ce7f2
                      • Instruction ID: 0d83dc56ca62381bf2cdbf50c71ba7348b50915e2f4d589b3c63d2be48583149
                      • Opcode Fuzzy Hash: 495811a018f6eb90f9e150570d96d95fa2271cf9cc75568b4dcfce2a4e4ce7f2
                      • Instruction Fuzzy Hash: A021D3B8C106098FCB44EFA8D8456EDBFF4FB09300F50522AE905B2314EB346A45CFA5
                      Function 02D75607 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0139f4ab41e4e9973ab06f7e58862f44ac5edb1e73e73d233eebbd2cffea175b
                      • Instruction ID: 217b442674207df8a8db8d4bf3bfa3fbf4a654a840564dfe4fae26654f808ee5
                      • Opcode Fuzzy Hash: 0139f4ab41e4e9973ab06f7e58862f44ac5edb1e73e73d233eebbd2cffea175b
                      • Instruction Fuzzy Hash: 5101F5727401456FDB068E69A810AEE7BABEBC9251B58802AF915D7340DA79CC12CBA1
                      Function 02D72010 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 56b0abc6defcab8799ec29c5a5d0296fc265a39955860910152ef656ade4a078
                      • Instruction ID: 70701b19498cc52c542c5eec4179066f348e5facd0a1885ad12318e0dc88aa8c
                      • Opcode Fuzzy Hash: 56b0abc6defcab8799ec29c5a5d0296fc265a39955860910152ef656ade4a078
                      • Instruction Fuzzy Hash: C6E08636D2032953CB0097A5DC196EEB778EF91311FA55722D92132140EB71775A86A1
                      Function 02D72020 Relevance: .0, Instructions: 19COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cb3ff99e741640012afe7be1852ae16afaf5249c654617b9302aa83210891a05
                      • Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
                      • Opcode Fuzzy Hash: cb3ff99e741640012afe7be1852ae16afaf5249c654617b9302aa83210891a05
                      • Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1
                      Function 02D78258 Relevance: .0, Instructions: 18COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                      • Instruction ID: 41ffdd45e4651b1819b475aafedb12e78d24aee9af340eaa118c9429e07e3496
                      • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                      • Instruction Fuzzy Hash: FBC0803360C1242A9634104F7C45EB3774CC3C13F59150137F55CD330074469C4061F4
                      Function 02D7A70D Relevance: .0, Instructions: 16COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9a4b351d70b79c2562c24d3ef3ff71b236d03c83b48002a9125a12881f413c09
                      • Instruction ID: 9beed60332a817c1cdf47a58acb2a3f012d0b2b04c1b7463b9efc29b70316d01
                      • Opcode Fuzzy Hash: 9a4b351d70b79c2562c24d3ef3ff71b236d03c83b48002a9125a12881f413c09
                      • Instruction Fuzzy Hash: 97D0677AB510089FCB049F99E8409DDB7B6FB9C221B448116F915A3264CA319961DB64
                      Function 02D75EA8 Relevance: .0, Instructions: 15COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c5446b7da4566be9906198beea686b83b0726bb347c6119854621e579551ed93
                      • Instruction ID: 6e9584a89efee70332283f824de22d8201e93bf45237cae2a7f95b0a10ad0f92
                      • Opcode Fuzzy Hash: c5446b7da4566be9906198beea686b83b0726bb347c6119854621e579551ed93
                      • Instruction Fuzzy Hash: 4BD09575D0C3400BD312FF71FD42041373376C0109FC45581E4000D51EE734441D4795
                      Function 02D75EB8 Relevance: .0, Instructions: 12COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ce87bdc28cfb9c6cf1ed91b2881f64a1f6e5c028e838e3032750edbbc0bcd3bc
                      • Instruction ID: 84da70420b97ff7962cec3f1ad9c650150ce39779165a3c29c482695a51014d9
                      • Opcode Fuzzy Hash: ce87bdc28cfb9c6cf1ed91b2881f64a1f6e5c028e838e3032750edbbc0bcd3bc
                      • Instruction Fuzzy Hash: 8FC0223490031A4BC200FF32F904406376B77C0101F409610F0080900CDE7828090AD1

                      Non-executed Functions

                      Function 02D76088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.1393772314.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_2d70000_RegSvcs.jbxd
                      Similarity
                      • API ID:
                      • String ID: \;q$\;q$\;q$\;q
                      • API String ID: 0-2933265366
                      • Opcode ID: 90ee8f38c0738a87978798e86400c6b177bb9be9c8bcda8acc46831a66745115
                      • Instruction ID: 2d207c25ee17b0c7c54707e10483714c439c0e13bd183616d2b129095a381a5c
                      • Opcode Fuzzy Hash: 90ee8f38c0738a87978798e86400c6b177bb9be9c8bcda8acc46831a66745115
                      • Instruction Fuzzy Hash: 0A0184317009248FCB249A3DC444A2577EAAF886A4739427AF902CB3B4FB75DC41C7D0