Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7vwfhMuUQg.exe

Overview

General Information

Sample name:7vwfhMuUQg.exe
renamed because original name is a hash value
Original sample name:e2b79e37d4a34bcab883b0de55809ab1be398fee99cde2fcb0058bac413192f7.exe
Analysis ID:1467009
MD5:87c41e117d5bf575fc5bd9dd9386e2aa
SHA1:1ab94afc06ca89c564f43141281051aae9494086
SHA256:e2b79e37d4a34bcab883b0de55809ab1be398fee99cde2fcb0058bac413192f7
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
.NET source code references suspicious native API functions
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Self deletion via cmd or bat file
Tries to detect the country of the analysis system (by using the IP)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7vwfhMuUQg.exe (PID: 5824 cmdline: "C:\Users\user\Desktop\7vwfhMuUQg.exe" MD5: 87C41E117D5BF575FC5BD9DD9386E2AA)
    • 7vwfhMuUQg.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\7vwfhMuUQg.exe" MD5: 87C41E117D5BF575FC5BD9DD9386E2AA)
      • cmd.exe (PID: 2740 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\7vwfhMuUQg.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • choice.exe (PID: 5020 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "leftlutvar@valleycountysar.org", "Password": "DKw(r0%wpbd]", "Host": "mail.valleycountysar.org", "Port": "587"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x14807:$a1: get_encryptedPassword
      • 0x14afd:$a2: get_encryptedUsername
      • 0x14613:$a3: get_timePasswordChanged
      • 0x1470e:$a4: get_passwordField
      • 0x1481d:$a5: set_encryptedPassword
      • 0x15df9:$a7: get_logins
      • 0x15d5c:$a10: KeyLoggerEventArgs
      • 0x159f5:$a11: KeyLoggerEventArgsEventHandler
      00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x180e4:$x1: $%SMTPDV$
      • 0x1814a:$x2: $#TheHashHere%&
      • 0x1978b:$x3: %FTPDV$
      • 0x1987f:$x4: $%TelegramDv$
      • 0x159f5:$x5: KeyLoggerEventArgs
      • 0x15d5c:$x5: KeyLoggerEventArgs
      • 0x197af:$m2: Clipboard Logs ID
      • 0x1997b:$m2: Screenshot Logs ID
      • 0x19a47:$m2: keystroke Logs ID
      • 0x19953:$m4: \SnakeKeylogger\
      00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.7vwfhMuUQg.exe.3987e40.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.7vwfhMuUQg.exe.3987e40.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.7vwfhMuUQg.exe.3987e40.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12c07:$a1: get_encryptedPassword
            • 0x12efd:$a2: get_encryptedUsername
            • 0x12a13:$a3: get_timePasswordChanged
            • 0x12b0e:$a4: get_passwordField
            • 0x12c1d:$a5: set_encryptedPassword
            • 0x141f9:$a7: get_logins
            • 0x1415c:$a10: KeyLoggerEventArgs
            • 0x13df5:$a11: KeyLoggerEventArgsEventHandler
            0.2.7vwfhMuUQg.exe.3987e40.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a46b:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x1969d:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19ad0:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1ab0f:$a5: \Kometa\User Data\Default\Login Data
            0.2.7vwfhMuUQg.exe.3987e40.4.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x13791:$s1: UnHook
            • 0x13798:$s2: SetHook
            • 0x137a0:$s3: CallNextHook
            • 0x137ad:$s4: _hook
            Click to see the 34 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "leftlutvar@valleycountysar.org", "Password": "DKw(r0%wpbd]", "Host": "mail.valleycountysar.org", "Port": "587"}
            Multi AV Scanner detection for submitted file
            Source: 7vwfhMuUQg.exeReversingLabs: Detection: 75%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 7vwfhMuUQg.exeJoe Sandbox ML: detected

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: 7vwfhMuUQg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.0
            Source: 7vwfhMuUQg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: 7vwfhMuUQg.exe, 00000000.00000002.2111466516.00000000052A0000.00000004.08000000.00040000.00000000.sdmp, 7vwfhMuUQg.exe, 00000000.00000002.2109952565.0000000002881000.00000004.00000800.00020000.00000000.sdmp

            Networking

            barindex
            Yara detected Generic Downloader
            Source: Yara matchFile source: 2.2.7vwfhMuUQg.exe.530000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.38d7b70.2.raw.unpack, type: UNPACKEDPE
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: 7vwfhMuUQg.exe, 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.130.147.85
            Source: 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002656000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002643000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002694000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002656000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002715000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026E8000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026FF000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.000000000270A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: 7vwfhMuUQg.exe, 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002694000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002656000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002715000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026E8000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026FF000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.000000000270A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: 7vwfhMuUQg.exe, 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002656000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: 7vwfhMuUQg.exe, 00000002.00000002.3958557701.000000000270A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
            Source: 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002694000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002715000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026E8000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026FF000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.000000000270A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 2.2.7vwfhMuUQg.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 2.2.7vwfhMuUQg.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 2.2.7vwfhMuUQg.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 2.2.7vwfhMuUQg.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.7vwfhMuUQg.exe.38d7b70.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.7vwfhMuUQg.exe.38d7b70.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.7vwfhMuUQg.exe.38d7b70.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: 7vwfhMuUQg.exe PID: 5824, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: 7vwfhMuUQg.exe PID: 5824, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: 7vwfhMuUQg.exe PID: 6600, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: 7vwfhMuUQg.exe PID: 6600, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 0_2_00E825600_2_00E82560
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 0_2_00E8D3DC0_2_00E8D3DC
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 0_2_04D9A6D00_2_04D9A6D0
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 0_2_04D9B8E00_2_04D9B8E0
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 0_2_04D900400_2_04D90040
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 0_2_04D900070_2_04D90007
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 0_2_04D9B8D00_2_04D9B8D0
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 2_2_00A0C1F02_2_00A0C1F0
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 2_2_00A061682_2_00A06168
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 2_2_00A0B3882_2_00A0B388
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 2_2_00A0C4D02_2_00A0C4D0
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 2_2_00A0C7B12_2_00A0C7B1
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 2_2_00A067902_2_00A06790
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 2_2_00A098B82_2_00A098B8
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 2_2_00A0CA912_2_00A0CA91
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 2_2_00A04B312_2_00A04B31
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 2_2_00A0BC322_2_00A0BC32
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 2_2_00A0BF102_2_00A0BF10
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 2_2_00A035C82_2_00A035C8
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 2_2_00A0B5522_2_00A0B552
            Source: 7vwfhMuUQg.exe, 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs 7vwfhMuUQg.exe
            Source: 7vwfhMuUQg.exe, 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs 7vwfhMuUQg.exe
            Source: 7vwfhMuUQg.exe, 00000000.00000002.2111466516.00000000052A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs 7vwfhMuUQg.exe
            Source: 7vwfhMuUQg.exe, 00000000.00000002.2110970570.0000000005130000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs 7vwfhMuUQg.exe
            Source: 7vwfhMuUQg.exe, 00000000.00000002.2108217620.000000000091E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 7vwfhMuUQg.exe
            Source: 7vwfhMuUQg.exe, 00000000.00000000.2094010559.0000000000472000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHumbling.exe. vs 7vwfhMuUQg.exe
            Source: 7vwfhMuUQg.exe, 00000000.00000002.2109952565.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs 7vwfhMuUQg.exe
            Source: 7vwfhMuUQg.exe, 00000000.00000002.2109952565.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs 7vwfhMuUQg.exe
            Source: 7vwfhMuUQg.exe, 00000000.00000002.2109952565.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs 7vwfhMuUQg.exe
            Source: 7vwfhMuUQg.exe, 00000000.00000002.2109952565.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 7vwfhMuUQg.exe
            Source: 7vwfhMuUQg.exe, 00000000.00000002.2109952565.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs 7vwfhMuUQg.exe
            Source: 7vwfhMuUQg.exe, 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs 7vwfhMuUQg.exe
            Source: 7vwfhMuUQg.exeBinary or memory string: OriginalFilenameHumbling.exe. vs 7vwfhMuUQg.exe
            Source: 7vwfhMuUQg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 2.2.7vwfhMuUQg.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 2.2.7vwfhMuUQg.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.2.7vwfhMuUQg.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 2.2.7vwfhMuUQg.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.7vwfhMuUQg.exe.38d7b70.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.7vwfhMuUQg.exe.38d7b70.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.7vwfhMuUQg.exe.38d7b70.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: 7vwfhMuUQg.exe PID: 5824, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: 7vwfhMuUQg.exe PID: 5824, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: 7vwfhMuUQg.exe PID: 6600, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: 7vwfhMuUQg.exe PID: 6600, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, -R.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, -R.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, -R.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, -R.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.7vwfhMuUQg.exe.5130000.5.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.7vwfhMuUQg.exe.38d7b70.2.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.7vwfhMuUQg.exe.5130000.5.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
            Source: 0.2.7vwfhMuUQg.exe.38d7b70.2.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
            Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@2/2
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7vwfhMuUQg.exe.logJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1472:120:WilError_03
            Source: 7vwfhMuUQg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 7vwfhMuUQg.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 7vwfhMuUQg.exeReversingLabs: Detection: 75%
            Source: unknownProcess created: C:\Users\user\Desktop\7vwfhMuUQg.exe "C:\Users\user\Desktop\7vwfhMuUQg.exe"
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess created: C:\Users\user\Desktop\7vwfhMuUQg.exe "C:\Users\user\Desktop\7vwfhMuUQg.exe"
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\7vwfhMuUQg.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess created: C:\Users\user\Desktop\7vwfhMuUQg.exe "C:\Users\user\Desktop\7vwfhMuUQg.exe"Jump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\7vwfhMuUQg.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: 7vwfhMuUQg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 7vwfhMuUQg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: 7vwfhMuUQg.exe, 00000000.00000002.2111466516.00000000052A0000.00000004.08000000.00040000.00000000.sdmp, 7vwfhMuUQg.exe, 00000000.00000002.2109952565.0000000002881000.00000004.00000800.00020000.00000000.sdmp
            Source: 7vwfhMuUQg.exeStatic PE information: 0xDA8CE5FE [Mon Mar 11 06:36:46 2086 UTC]
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeCode function: 0_2_04D91C51 push esp; retf 0_2_04D91C52
            Source: 7vwfhMuUQg.exeStatic PE information: section name: .text entropy: 7.315190041992545

            Hooking and other Techniques for Hiding and Protection

            barindex
            Self deletion via cmd or bat file
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\7vwfhMuUQg.exe"
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\7vwfhMuUQg.exe"Jump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeMemory allocated: E80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeMemory allocated: 2880000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeMemory allocated: 2640000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeMemory allocated: A00000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeMemory allocated: 2590000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeMemory allocated: 22E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exe TID: 5716Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exe TID: 5720Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exe TID: 6816Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exe TID: 3052Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exe TID: 5720Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeThread delayed: delay time: 600000Jump to behavior
            Source: 7vwfhMuUQg.exe, 00000002.00000002.3957576144.00000000008C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: 0.2.7vwfhMuUQg.exe.52a0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: 0.2.7vwfhMuUQg.exe.52a0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: 0.2.7vwfhMuUQg.exe.52a0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeMemory written: C:\Users\user\Desktop\7vwfhMuUQg.exe base: 530000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess created: C:\Users\user\Desktop\7vwfhMuUQg.exe "C:\Users\user\Desktop\7vwfhMuUQg.exe"Jump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\7vwfhMuUQg.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeQueries volume information: C:\Users\user\Desktop\7vwfhMuUQg.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeQueries volume information: C:\Users\user\Desktop\7vwfhMuUQg.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7vwfhMuUQg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3987e40.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.7vwfhMuUQg.exe.530000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3967610.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.38d7b70.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3958557701.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 7vwfhMuUQg.exe PID: 5824, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 7vwfhMuUQg.exe PID: 6600, type: MEMORYSTR
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3987e40.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.7vwfhMuUQg.exe.530000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3967610.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.38d7b70.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 7vwfhMuUQg.exe PID: 5824, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 7vwfhMuUQg.exe PID: 6600, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3987e40.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.7vwfhMuUQg.exe.530000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3967610.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3967610.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.3987e40.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.7vwfhMuUQg.exe.38d7b70.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3958557701.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 7vwfhMuUQg.exe PID: 5824, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 7vwfhMuUQg.exe PID: 6600, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		111
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS1
            System Network Configuration Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            File Deletion            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            7vwfhMuUQg.exe75%ReversingLabsByteCode-MSIL.Trojan.SnakeLogger
            7vwfhMuUQg.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://checkip.dyndns.org0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://checkip.dyndns.org/q0%URL Reputationsafe
            https://reallyfreegeoip.org0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/0%Avira URL Cloudsafe
            http://checkip.dyndns.com0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/8.46.123.33$0%Avira URL Cloudsafe
            http://reallyfreegeoip.org0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/8.46.123.330%Avira URL Cloudsafe
            http://checkip.dyndns.org/0%Avira URL Cloudsafe
            http://103.130.147.850%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            reallyfreegeoip.org
            		188.114.96.3
            		truetrue
              		unknown
              checkip.dyndns.com
              		132.226.247.73
              		truefalse
                		unknown
                checkip.dyndns.org
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/false
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/8.46.123.33false
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://reallyfreegeoip.org7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002694000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002656000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002715000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026E8000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026FF000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.000000000270A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://checkip.dyndns.org7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002643000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002694000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002656000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002715000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026E8000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026FF000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.000000000270A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://checkip.dyndns.com7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002656000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/8.46.123.33$7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002694000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002715000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026E8000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.00000000026FF000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.000000000270A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002591000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://103.130.147.857vwfhMuUQg.exe, 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002591000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://checkip.dyndns.org/q7vwfhMuUQg.exe, 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://reallyfreegeoip.org7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002671000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/7vwfhMuUQg.exe, 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, 7vwfhMuUQg.exe, 00000002.00000002.3958557701.0000000002656000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  188.114.96.3
                  		reallyfreegeoip.orgEuropean Union
                  		13335CLOUDFLARENETUStrue
                  132.226.247.73
                  		checkip.dyndns.comUnited States
                  		16989UTMEMUSfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1467009
                  Start date and time:2024-07-03 16:30:43 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 11s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Run name:Run with higher sleep bypass
                  Number of analysed new started processes analysed:15
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:7vwfhMuUQg.exe
                  renamed because original name is a hash value
                  Original Sample Name:e2b79e37d4a34bcab883b0de55809ab1be398fee99cde2fcb0058bac413192f7.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@8/1@2/2
                  EGA Information:
                  • Successful, ratio: 50%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 75
                  • Number of non-executed functions: 4
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target 7vwfhMuUQg.exe, PID 6600 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • VT rate limit hit for: 7vwfhMuUQg.exe

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  188.114.96.39098393827383039.exeGet hashmaliciousFormBookBrowse
                  • www.coinwab.com/kqqj/
                  SOA 020724.exeGet hashmaliciousFormBookBrowse
                  • www.ad14.fun/az6h/?Vn=Ydx4qJJ0n&3jJlx=2tWzkzncG4ra8DBegJJBToW7oB13AdJXZ1KkbDLW+Ah9MGsNEQDOdLre6u2t4zOJ63yLnsPJ97sPnqMxsSzbOxuABFq0Im2Ecm9EQ8GOdhogxDCvRrrALITlDFg7ZHNgcXHQPxMcHnGf
                  Adjunto confirmacion de pedido.exeGet hashmaliciousDBatLoader, FormBookBrowse
                  • www.coinwab.com/kqqj/
                  aAEsSBx24sxHhRz.exeGet hashmaliciousFormBookBrowse
                  • www.camperelektrikde.shop/dy13/?GdIHAFZ=8bNdgr3QvPw6/pDIZNt+55DvjzemDI0RO+pYD3qlulbIe6f7Sn3K06Z4F4Tg3hK83Y0/&BhU=5jl0ddZhNnYlOrV0
                  http://sp.26skins.com/steamstore/category/adventure_rpg/?snr=1_5_9__12Get hashmaliciousUnknownBrowse
                  • sp.26skins.com/favicon.ico
                  30Fqen2Bu3.exeGet hashmaliciousUnknownBrowse
                  • filetransfer.io/data-package/TbaYPT0S/download
                  30Fqen2Bu3.exeGet hashmaliciousUnknownBrowse
                  • filetransfer.io/data-package/TbaYPT0S/download
                  Vg46FzGtNo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • 000366cm.nyashka.top/phpflowergenerator.php
                  QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • filetransfer.io/data-package/mHgyHEv5/download
                  file.exeGet hashmaliciousFormBookBrowse
                  • www.cavetta.org.mt/yhnb/
                  132.226.247.73k8TljgjfDl.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  project plan.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  MT_01452_03607PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • checkip.dyndns.org/
                  oHchwlxMNG.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  itinerary_1719382117.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  Halkbank_Ekstre_20240625_082306_910668.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  242010.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  reallyfreegeoip.orgj6OUc3S2uP.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  1mXbuDDPbF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 188.114.97.3
                  k8TljgjfDl.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  IMG_0178520003023PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 188.114.97.3
                  MT_01452_03607PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 188.114.97.3
                  PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  whiteee.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  whiteee.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  Details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  checkip.dyndns.comj6OUc3S2uP.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.8.169
                  1mXbuDDPbF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 193.122.130.0
                  k8TljgjfDl.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  project plan.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  IMG_0178520003023PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 158.101.44.242
                  MT_01452_03607PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 132.226.247.73
                  payment.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 158.101.44.242
                  PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  whiteee.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CLOUDFLARENETUShttp://booking.extnnehotteir.com/admin/o2shi1bka89Get hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  j6OUc3S2uP.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  MUdeeReQ5R.exeGet hashmaliciousFormBookBrowse
                  • 172.67.147.144
                  q86onx3LvU.exeGet hashmaliciousPureLog StealerBrowse
                  • 104.21.10.178
                  Vertex Business Services_SKM_C950633210_650106.pdfGet hashmaliciousHTMLPhisherBrowse
                  • 104.17.2.184
                  6Ek4nfs2y1.exeGet hashmaliciousPhoenixKeylogger, PureLog StealerBrowse
                  • 104.21.10.178
                  9098393827383039.exeGet hashmaliciousFormBookBrowse
                  • 188.114.96.3
                  https://www.filemail.com/t/RuKZYfeBGet hashmaliciousHTMLPhisherBrowse
                  • 172.64.41.3
                  kZa81nzREg.exeGet hashmaliciousAgentTeslaBrowse
                  • 172.67.196.55
                  UTMEMUSj6OUc3S2uP.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.8.169
                  k8TljgjfDl.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  project plan.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  MT_01452_03607PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 132.226.247.73
                  lista de cotizaciones.xlam.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.8.169
                  Details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.8.169
                  oHchwlxMNG.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  scan copy.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.8.169
                  CDMZxujRpn.elfGet hashmaliciousMiraiBrowse
                  • 132.192.25.142

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  54328bd36c14bd82ddaa0c04b25ed9adj6OUc3S2uP.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  kZa81nzREg.exeGet hashmaliciousAgentTeslaBrowse
                  • 188.114.96.3
                  ptKNiAaGus.exeGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  beK7HmoXro.exeGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  1mXbuDDPbF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 188.114.96.3
                  k8TljgjfDl.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  IMG_0178520003023PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 188.114.96.3
                  MT_01452_03607PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 188.114.96.3
                  fin.746.msiGet hashmaliciousUnknownBrowse
                  • 188.114.96.3

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7vwfhMuUQg.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\7vwfhMuUQg.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1216
                  Entropy (8bit):5.34331486778365
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.304137350958184
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:7vwfhMuUQg.exe
                  File size:532'992 bytes
                  MD5:87c41e117d5bf575fc5bd9dd9386e2aa
                  SHA1:1ab94afc06ca89c564f43141281051aae9494086
                  SHA256:e2b79e37d4a34bcab883b0de55809ab1be398fee99cde2fcb0058bac413192f7
                  SHA512:16c43e53f8d613d18bea8470917f023618d86bde991d175434fd2171f025dfea33901faca8e2667379e81a318cc1db29637bd9880192607d5fea860e3afa29a3
                  SSDEEP:6144:sTVFZInd6Xcfg9UZndhc7KFCEBbDlRPBUYLvyvvRFBZrrfXB0JaTc0ApziCbI:s5kndmHuxV/JUJDBZrSJaTopzi8I
                  TLSH:9CB4C03837A415B4D4368AFAA4E2403DAA7179A274E2C65165CF1FDD39CAFC08D8721F
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............~6... ...@....@.. ....................................@................................

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x48367e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0xDA8CE5FE [Mon Mar 11 06:36:46 2086 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x836280x53.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x59e.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x816840x818006711f849ea7e834450e5a2f41aa91796False0.5435380972490348data7.315190041992545IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x840000x59e0x600a7dcf28809e6e4005982d016358a971dFalse0.4186197916666667data4.052104303958992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x860000xc0x20029bcd969129e4c4ee9ee0bc83c473a4cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0x840a00x314data0.434010152284264
                  RT_MANIFEST0x843b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 3, 2024 16:31:32.784348965 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:32.789459944 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:32.789587975 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:32.789782047 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:32.795543909 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:33.459002972 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:33.468163967 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:33.474805117 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:33.674504995 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:33.719679117 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:33.782370090 CEST49711443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:33.782413960 CEST44349711188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:33.782479048 CEST49711443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:33.832643986 CEST49711443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:33.832659006 CEST44349711188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:34.303502083 CEST44349711188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:34.303622961 CEST49711443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:34.330873966 CEST49711443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:34.330904007 CEST44349711188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:34.331284046 CEST44349711188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:34.375957966 CEST49711443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:34.446244955 CEST49711443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:34.492502928 CEST44349711188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:34.553364992 CEST44349711188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:34.553463936 CEST44349711188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:34.553534985 CEST49711443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:34.581573009 CEST49711443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:34.585611105 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:34.590533972 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:34.790329933 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:34.797132969 CEST49714443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:34.797240019 CEST44349714188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:34.797353029 CEST49714443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:34.797646999 CEST49714443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:34.797683001 CEST44349714188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:34.844717979 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:35.261044025 CEST44349714188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:35.266724110 CEST49714443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:35.266771078 CEST44349714188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:35.394371033 CEST44349714188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:35.394474983 CEST44349714188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:35.394524097 CEST49714443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:35.402394056 CEST49714443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:35.453120947 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:35.457989931 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:35.657546997 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:35.658399105 CEST49715443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:35.658449888 CEST44349715188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:35.658524990 CEST49715443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:35.658848047 CEST49715443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:35.658866882 CEST44349715188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:35.704044104 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:36.136040926 CEST44349715188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:36.137861013 CEST49715443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:36.137885094 CEST44349715188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:36.283288956 CEST44349715188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:36.283380032 CEST44349715188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:36.283427954 CEST49715443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:36.283963919 CEST49715443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:36.287205935 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:36.292268038 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:36.492338896 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:36.493309975 CEST49717443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:36.493350029 CEST44349717188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:36.493434906 CEST49717443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:36.493755102 CEST49717443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:36.493767023 CEST44349717188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:36.532396078 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:36.961446047 CEST44349717188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:36.963413954 CEST49717443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:36.963449001 CEST44349717188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:37.092454910 CEST44349717188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:37.092586040 CEST44349717188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:37.092638016 CEST49717443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:37.093408108 CEST49717443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:37.096834898 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:37.102128029 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:37.301677942 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:37.302869081 CEST49718443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:37.302905083 CEST44349718188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:37.302992105 CEST49718443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:37.303323030 CEST49718443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:37.303339958 CEST44349718188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:37.344924927 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:37.764549971 CEST44349718188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:37.766374111 CEST49718443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:37.766391993 CEST44349718188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:37.913305998 CEST44349718188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:37.913403988 CEST44349718188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:37.913600922 CEST49718443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:37.922720909 CEST49718443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:37.982485056 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:37.987711906 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:38.187705040 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:38.191745043 CEST49720443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:38.191800117 CEST44349720188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:38.191874981 CEST49720443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:38.192233086 CEST49720443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:38.192250013 CEST44349720188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:38.235337973 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:38.656172991 CEST44349720188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:38.658075094 CEST49720443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:38.658107042 CEST44349720188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:38.796392918 CEST44349720188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:38.796478987 CEST44349720188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:38.796636105 CEST49720443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:38.797458887 CEST49720443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:38.800708055 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:38.805685997 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:39.005669117 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:39.006901979 CEST49722443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:39.006952047 CEST44349722188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:39.007039070 CEST49722443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:39.007437944 CEST49722443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:39.007452011 CEST44349722188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:39.047910929 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:39.475714922 CEST44349722188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:39.481551886 CEST49722443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:39.481580019 CEST44349722188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:39.606852055 CEST44349722188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:39.606956005 CEST44349722188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:39.606997013 CEST49722443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:39.607769966 CEST49722443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:39.611668110 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:39.616585016 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:39.816641092 CEST8049710132.226.247.73192.168.2.6
                  Jul 3, 2024 16:31:39.817543983 CEST49724443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:39.817589045 CEST44349724188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:39.817658901 CEST49724443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:39.817981958 CEST49724443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:39.817994118 CEST44349724188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:39.860312939 CEST4971080192.168.2.6132.226.247.73
                  Jul 3, 2024 16:31:40.292833090 CEST44349724188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:40.327719927 CEST49724443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:40.327744961 CEST44349724188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:40.434937000 CEST44349724188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:40.435039997 CEST44349724188.114.96.3192.168.2.6
                  Jul 3, 2024 16:31:40.435087919 CEST49724443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:40.435699940 CEST49724443192.168.2.6188.114.96.3
                  Jul 3, 2024 16:31:40.622617960 CEST4971080192.168.2.6132.226.247.73

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 3, 2024 16:31:32.770555973 CEST6494653192.168.2.61.1.1.1
                  Jul 3, 2024 16:31:32.779099941 CEST53649461.1.1.1192.168.2.6
                  Jul 3, 2024 16:31:33.769985914 CEST6427853192.168.2.61.1.1.1
                  Jul 3, 2024 16:31:33.781582117 CEST53642781.1.1.1192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 3, 2024 16:31:32.770555973 CEST192.168.2.61.1.1.10x9c77Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                  Jul 3, 2024 16:31:33.769985914 CEST192.168.2.61.1.1.10x1c34Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 3, 2024 16:31:32.779099941 CEST1.1.1.1192.168.2.60x9c77No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                  Jul 3, 2024 16:31:32.779099941 CEST1.1.1.1192.168.2.60x9c77No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                  Jul 3, 2024 16:31:32.779099941 CEST1.1.1.1192.168.2.60x9c77No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                  Jul 3, 2024 16:31:32.779099941 CEST1.1.1.1192.168.2.60x9c77No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                  Jul 3, 2024 16:31:32.779099941 CEST1.1.1.1192.168.2.60x9c77No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                  Jul 3, 2024 16:31:32.779099941 CEST1.1.1.1192.168.2.60x9c77No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                  Jul 3, 2024 16:31:33.781582117 CEST1.1.1.1192.168.2.60x1c34No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                  Jul 3, 2024 16:31:33.781582117 CEST1.1.1.1192.168.2.60x1c34No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • reallyfreegeoip.org
                  • checkip.dyndns.org

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.649710132.226.247.73806600C:\Users\user\Desktop\7vwfhMuUQg.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 16:31:32.789782047 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jul 3, 2024 16:31:33.459002972 CEST320INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:33 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 3943ae4979bd2acd752ee8367aacf7cf
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 3, 2024 16:31:33.468163967 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 3, 2024 16:31:33.674504995 CEST320INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:33 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: d95b4760daffc5482bbf0c852e4448f1
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 3, 2024 16:31:34.585611105 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 3, 2024 16:31:34.790329933 CEST320INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:34 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: b33924000e77d72d3569e7491f084d28
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 3, 2024 16:31:35.453120947 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 3, 2024 16:31:35.657546997 CEST320INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:35 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: ead4f9baedf31c6604ee3d14940c9a4e
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 3, 2024 16:31:36.287205935 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 3, 2024 16:31:36.492338896 CEST320INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:36 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 6662f1d4ab9f1ab4e3c9755968566608
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 3, 2024 16:31:37.096834898 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 3, 2024 16:31:37.301677942 CEST320INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:37 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: b4f5d0b5d6d7c07bc42da4ee01c2a70f
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 3, 2024 16:31:37.982485056 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 3, 2024 16:31:38.187705040 CEST320INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:38 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 92b68779ce8ea183d54fbb0e8ba25450
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 3, 2024 16:31:38.800708055 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 3, 2024 16:31:39.005669117 CEST320INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:38 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: a30a0c95deca0239a13c53066a71fa0b
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 3, 2024 16:31:39.611668110 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 3, 2024 16:31:39.816641092 CEST320INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:39 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: a07b6eb8f064a6999a4868167b3dade0
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.649711188.114.96.34436600C:\Users\user\Desktop\7vwfhMuUQg.exe
                  TimestampBytes transferredDirectionData
                  2024-07-03 14:31:34 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-07-03 14:31:34 UTC706INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:34 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 29718
                  Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KPKYTGa2uIHEizPNrR%2FZt1OSlyxiom6T9ioB0tnXp8RklyHaeEwuEju46eJa0eQXHdAyLjKpzNRXGzPip%2BitsFL1cPRF2l9xTYJaW%2B8of92T5SZzUk4sIxQiLqX2u25QRraf5huA"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89d794789ed80f84-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-03 14:31:34 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-03 14:31:34 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.649714188.114.96.34436600C:\Users\user\Desktop\7vwfhMuUQg.exe
                  TimestampBytes transferredDirectionData
                  2024-07-03 14:31:35 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-07-03 14:31:35 UTC712INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:35 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 29719
                  Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nrDngdMt%2BTJ0oOy2IMO4dqhS13lRywsL6QEih%2Bu2cd2DAGAE%2BqlCDEo0yF599Ecz%2FxT%2BmEyQQKVCjuChBXepyDNAtKWezlwTSUW8NBjBEaJ7uzOxKR888WPkQ%2Fgl9lF2b0FSe1bS"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89d7947ddbc341ad-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-03 14:31:35 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-03 14:31:35 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.649715188.114.96.34436600C:\Users\user\Desktop\7vwfhMuUQg.exe
                  TimestampBytes transferredDirectionData
                  2024-07-03 14:31:36 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-07-03 14:31:36 UTC714INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:36 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 29720
                  Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nB1mga1tNmIaqEI3Zk33Hs0zo5zH7yNAyiAQexfrK63%2Fnfl4SRMKAjQnAxmyssKsBtJRJGLfnk2m9DwN%2FjVv5M8r%2F%2Foicl2%2F1djFPq%2BlZr9Uvc28S1rm7msKXg%2FX61OoyEpZgKey"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89d794836e445e70-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-03 14:31:36 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-03 14:31:36 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.649717188.114.96.34436600C:\Users\user\Desktop\7vwfhMuUQg.exe
                  TimestampBytes transferredDirectionData
                  2024-07-03 14:31:36 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-07-03 14:31:37 UTC710INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:37 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 29721
                  Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RGN7guH1041%2ByNC1jxogXuffBp%2F8E8WGVstDaopEylUf5ib2KdBHH%2FQyknA0o8voo7tkiZR3kXaQi5RNqtg%2Ffj3qRa3vZldZRWyXhQRUAcGnsXWpIFSABYr5Ifr5At9HD5GM6Y%2Fy"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89d794887c6dc42a-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-03 14:31:37 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-03 14:31:37 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.649718188.114.96.34436600C:\Users\user\Desktop\7vwfhMuUQg.exe
                  TimestampBytes transferredDirectionData
                  2024-07-03 14:31:37 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-07-03 14:31:37 UTC708INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:37 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 29721
                  Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7%2Fz4H7HNmdAl1M7h0jkOb3GmgViAAQ4pZ%2Fi0RJfUfqUFwHEcMNm%2BTEvHW8KcRJtAfgykVSIU3rQvvtWlzLPPQIsU%2BWfLahtn4V1bvq8yQh7s2nRnaDUG0UbHcOFQA44339KHTR6l"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89d7948d982fc47c-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-03 14:31:37 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-03 14:31:37 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.649720188.114.96.34436600C:\Users\user\Desktop\7vwfhMuUQg.exe
                  TimestampBytes transferredDirectionData
                  2024-07-03 14:31:38 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-07-03 14:31:38 UTC710INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:38 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 29722
                  Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tfA9b%2BGMOT%2F7V9G7eQA0oXoTIebwEIRhZxfU76ucjZEwDAPUI95AZiSUdD9Qg92jE71zAcsPLfjyZG3bBuQa0mNxKLuy0bfMsZ%2B0GaA8bMPpXOyZkYz4CkqoB%2BDLJPOtB1U3Qj%2Fg"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89d794931ef143af-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-03 14:31:38 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-03 14:31:38 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.649722188.114.96.34436600C:\Users\user\Desktop\7vwfhMuUQg.exe
                  TimestampBytes transferredDirectionData
                  2024-07-03 14:31:39 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-07-03 14:31:39 UTC714INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:39 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 29723
                  Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A63oO%2B2sIR5y9%2B%2Fc4VeAEmtEXdwSyvOKXAuireTuTsVQe34KM%2BL8qP1SBlXfVIUAA0NTFbXnO%2Fm3v1YSIkzjv%2FBSWHI6xG3ISAynxxLNIElJBY4Z6AN%2FI6pcDbAPxW6THHYeL3nJ"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89d794983af543a6-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-03 14:31:39 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-03 14:31:39 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.649724188.114.96.34436600C:\Users\user\Desktop\7vwfhMuUQg.exe
                  TimestampBytes transferredDirectionData
                  2024-07-03 14:31:40 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-07-03 14:31:40 UTC712INHTTP/1.1 200 OK
                  Date: Wed, 03 Jul 2024 14:31:40 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 29724
                  Last-Modified: Wed, 03 Jul 2024 06:16:16 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SwBhvwnqLJWYDJRZDrkAUzFvVNhb%2BEPMfz8Ty59JKPZGLkd4wLLBdxGbQRPiyk8d%2Fxlm1jIbeTd6Hv%2FnfmDiG67TS6Wqa%2BqtZMz3Q%2BoiIkUzeVNC2sap1masqVcr%2BT9UXyG5k8uM"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89d7949d5cc617d9-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-03 14:31:40 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-03 14:31:40 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:10:31:30
                  Start date:03/07/2024
                  Path:C:\Users\user\Desktop\7vwfhMuUQg.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\7vwfhMuUQg.exe"
                  Imagebase:0x470000
                  File size:532'992 bytes
                  MD5 hash:87C41E117D5BF575FC5BD9DD9386E2AA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2110119938.0000000003889000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:2
                  Start time:10:31:31
                  Start date:03/07/2024
                  Path:C:\Users\user\Desktop\7vwfhMuUQg.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\7vwfhMuUQg.exe"
                  Imagebase:0xe0000
                  File size:532'992 bytes
                  MD5 hash:87C41E117D5BF575FC5BD9DD9386E2AA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.3957028997.0000000000532000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3958557701.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:4
                  Start time:10:31:39
                  Start date:03/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\7vwfhMuUQg.exe"
                  Imagebase:0x1c0000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:10:31:39
                  Start date:03/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:10:31:39
                  Start date:03/07/2024
                  Path:C:\Windows\SysWOW64\choice.exe
                  Wow64 process (32bit):true
                  Commandline:choice /C Y /N /D Y /T 3
                  Imagebase:0x830000
                  File size:28'160 bytes
                  MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:7.3%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:31.3%
                    Total number of Nodes:150
                    Total number of Limit Nodes:9
                    execution_graph 31066 e8a598 31067 e8a5a7 31066->31067 31070 e8a680 31066->31070 31078 e8a690 31066->31078 31071 e8a6a1 31070->31071 31072 e8a6c4 31070->31072 31071->31072 31086 e8a928 31071->31086 31090 e8a91b 31071->31090 31072->31067 31073 e8a6bc 31073->31072 31074 e8a8c8 GetModuleHandleW 31073->31074 31075 e8a8f5 31074->31075 31075->31067 31079 e8a6a1 31078->31079 31080 e8a6c4 31078->31080 31079->31080 31084 e8a928 LoadLibraryExW 31079->31084 31085 e8a91b LoadLibraryExW 31079->31085 31080->31067 31081 e8a6bc 31081->31080 31082 e8a8c8 GetModuleHandleW 31081->31082 31083 e8a8f5 31082->31083 31083->31067 31084->31081 31085->31081 31087 e8a93c 31086->31087 31089 e8a961 31087->31089 31094 e8a118 31087->31094 31089->31073 31091 e8a924 31090->31091 31092 e8a118 LoadLibraryExW 31091->31092 31093 e8a961 31091->31093 31092->31093 31093->31073 31095 e8ab08 LoadLibraryExW 31094->31095 31097 e8ab81 31095->31097 31097->31089 31098 e8c918 31099 e8c95e 31098->31099 31100 e8ca4b 31099->31100 31103 e8caf8 31099->31103 31106 e8cae9 31099->31106 31105 e8cb26 31103->31105 31109 e8bde0 31103->31109 31105->31100 31107 e8bde0 DuplicateHandle 31106->31107 31108 e8cb26 31107->31108 31108->31100 31110 e8cb60 DuplicateHandle 31109->31110 31111 e8cbf6 31110->31111 31111->31105 31029 ced01c 31030 ced034 31029->31030 31031 ced08e 31030->31031 31034 4d92818 31030->31034 31040 4d92817 31030->31040 31036 4d92845 31034->31036 31035 4d92877 31036->31035 31046 4d92a6c 31036->31046 31051 4d929a0 31036->31051 31055 4d92990 31036->31055 31042 4d92845 31040->31042 31041 4d92877 31042->31041 31043 4d92a6c CallWindowProcW 31042->31043 31044 4d92990 CallWindowProcW 31042->31044 31045 4d929a0 CallWindowProcW 31042->31045 31043->31041 31044->31041 31045->31041 31047 4d92a2a 31046->31047 31048 4d92a7a 31046->31048 31059 4d92a58 31047->31059 31049 4d92a40 31049->31035 31053 4d929b4 31051->31053 31052 4d92a40 31052->31035 31054 4d92a58 CallWindowProcW 31053->31054 31054->31052 31057 4d92994 31055->31057 31056 4d92a40 31056->31035 31058 4d92a58 CallWindowProcW 31057->31058 31058->31056 31060 4d92a69 31059->31060 31062 4d93e98 31059->31062 31060->31049 31063 4d93e9c 31062->31063 31063->31060 31064 4d93f5a CallWindowProcW 31063->31064 31065 4d93ebc 31063->31065 31064->31065 31065->31060 31112 4d9b820 31114 4d9b83a 31112->31114 31113 4d9b88a 31114->31113 31117 4d9b8d0 31114->31117 31146 4d9b8e0 31114->31146 31119 4d9b8e0 31117->31119 31175 4d9a564 31119->31175 31120 4d9baea 31121 4d9a570 Wow64GetThreadContext 31120->31121 31122 4d9bbe4 31120->31122 31121->31122 31123 4d9a588 ReadProcessMemory 31122->31123 31124 4d9bcc4 31123->31124 31140 4d9b6a8 VirtualAllocEx 31124->31140 31141 4d9b6b0 VirtualAllocEx 31124->31141 31125 4d9bde1 31126 4d9be54 31125->31126 31134 4d9b6a8 VirtualAllocEx 31125->31134 31135 4d9b6b0 VirtualAllocEx 31125->31135 31136 4d9b5b8 WriteProcessMemory 31126->31136 31137 4d9b5c0 WriteProcessMemory 31126->31137 31127 4d9c0c0 31132 4d9b5b8 WriteProcessMemory 31127->31132 31133 4d9b5c0 WriteProcessMemory 31127->31133 31128 4d9bec5 31128->31127 31142 4d9b5b8 WriteProcessMemory 31128->31142 31143 4d9b5c0 WriteProcessMemory 31128->31143 31129 4d9c0fe 31130 4d9c1e6 31129->31130 31144 4d9b4e8 Wow64SetThreadContext 31129->31144 31145 4d9b4e1 Wow64SetThreadContext 31129->31145 31138 4d9b769 ResumeThread 31130->31138 31139 4d9b770 ResumeThread 31130->31139 31131 4d9c2a3 31131->31114 31132->31129 31133->31129 31134->31126 31135->31126 31136->31128 31137->31128 31138->31131 31139->31131 31140->31125 31141->31125 31142->31128 31143->31128 31144->31130 31145->31130 31147 4d9b913 31146->31147 31148 4d9a564 CreateProcessW 31147->31148 31149 4d9baea 31148->31149 31151 4d9bbe4 31149->31151 31179 4d9a570 31149->31179 31183 4d9a588 31151->31183 31153 4d9bcc4 31186 4d9b6a8 31153->31186 31190 4d9b6b0 31153->31190 31154 4d9bde1 31155 4d9be54 31154->31155 31169 4d9b6a8 VirtualAllocEx 31154->31169 31170 4d9b6b0 VirtualAllocEx 31154->31170 31194 4d9b5b8 31155->31194 31198 4d9b5c0 31155->31198 31156 4d9bec5 31157 4d9c0c0 31156->31157 31163 4d9b5b8 WriteProcessMemory 31156->31163 31164 4d9b5c0 WriteProcessMemory 31156->31164 31167 4d9b5b8 WriteProcessMemory 31157->31167 31168 4d9b5c0 WriteProcessMemory 31157->31168 31158 4d9c0fe 31159 4d9c1e6 31158->31159 31202 4d9b4e1 31158->31202 31206 4d9b4e8 31158->31206 31210 4d9b769 31159->31210 31214 4d9b770 31159->31214 31160 4d9c2a3 31160->31114 31163->31156 31164->31156 31167->31158 31168->31158 31169->31155 31170->31155 31176 4d9c410 CreateProcessW 31175->31176 31178 4d9c561 31176->31178 31178->31178 31180 4d9c640 Wow64GetThreadContext 31179->31180 31182 4d9c6ba 31180->31182 31182->31151 31184 4d9c6f8 ReadProcessMemory 31183->31184 31185 4d9c778 31184->31185 31185->31153 31187 4d9b6f0 VirtualAllocEx 31186->31187 31189 4d9b72d 31187->31189 31189->31154 31191 4d9b6f0 VirtualAllocEx 31190->31191 31193 4d9b72d 31191->31193 31193->31154 31195 4d9b5c0 WriteProcessMemory 31194->31195 31197 4d9b65f 31195->31197 31197->31156 31199 4d9b608 WriteProcessMemory 31198->31199 31201 4d9b65f 31199->31201 31201->31156 31203 4d9b4e8 Wow64SetThreadContext 31202->31203 31205 4d9b575 31203->31205 31205->31159 31207 4d9b52d Wow64SetThreadContext 31206->31207 31209 4d9b575 31207->31209 31209->31159 31211 4d9b770 ResumeThread 31210->31211 31213 4d9b7e1 31211->31213 31213->31160 31215 4d9b7b0 ResumeThread 31214->31215 31217 4d9b7e1 31215->31217 31217->31160

                    Executed Functions

                    Function 04D9B8E0 Relevance: 1.9, Strings: 1, Instructions: 615COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 15 4d9b8e0-4d9b911 16 4d9b918-4d9ba9e 15->16 17 4d9b913 15->17 24 4d9baa0-4d9bac4 16->24 25 4d9bac5-4d9bb0a call 4d9a564 16->25 17->16 24->25 29 4d9bb0c-4d9bb28 25->29 30 4d9bb33-4d9bb9d 25->30 29->30 36 4d9bb9f 30->36 37 4d9bba4-4d9bbd0 30->37 36->37 39 4d9bc31-4d9bc63 call 4d9a57c 37->39 40 4d9bbd2-4d9bbdf call 4d9a570 37->40 47 4d9bc8c 39->47 48 4d9bc65-4d9bc81 39->48 43 4d9bbe4-4d9bc04 40->43 45 4d9bc2d-4d9bc2f 43->45 46 4d9bc06-4d9bc22 43->46 49 4d9bc8d-4d9bc97 45->49 46->45 47->49 48->47 50 4d9bc99 49->50 51 4d9bc9e-4d9bce4 call 4d9a588 49->51 50->51 58 4d9bd0d-4d9bd26 51->58 59 4d9bce6-4d9bd02 51->59 60 4d9bd28-4d9bd54 call 4d9a594 58->60 61 4d9bd7e-4d9bddc 58->61 59->58 66 4d9bd7d 60->66 67 4d9bd56-4d9bd72 60->67 137 4d9bddf call 4d9b6a8 61->137 138 4d9bddf call 4d9b6b0 61->138 66->61 67->66 71 4d9bde1-4d9bdf6 72 4d9bdf8-4d9be09 71->72 73 4d9be0b-4d9be0d 71->73 75 4d9be13-4d9be27 72->75 73->75 76 4d9be29-4d9be4f 75->76 77 4d9be64-4d9be7b 75->77 145 4d9be52 call 4d9b6a8 76->145 146 4d9be52 call 4d9b6b0 76->146 78 4d9be7d-4d9be99 77->78 79 4d9bea4-4d9bec0 77->79 78->79 147 4d9bec3 call 4d9b5b8 79->147 148 4d9bec3 call 4d9b5c0 79->148 80 4d9be54-4d9be63 80->77 82 4d9bec5-4d9bee5 83 4d9bf0e-4d9bf43 82->83 84 4d9bee7-4d9bf03 82->84 88 4d9c09b-4d9c0ba 83->88 84->83 90 4d9bf48-4d9bfcc 88->90 91 4d9c0c0-4d9c0f9 88->91 101 4d9c090-4d9c095 90->101 102 4d9bfd2-4d9c041 90->102 143 4d9c0fc call 4d9b5b8 91->143 144 4d9c0fc call 4d9b5c0 91->144 95 4d9c0fe-4d9c11e 96 4d9c120-4d9c13c 95->96 97 4d9c147-4d9c17a 95->97 96->97 103 4d9c17c-4d9c183 97->103 104 4d9c184-4d9c197 97->104 101->88 139 4d9c044 call 4d9b5b8 102->139 140 4d9c044 call 4d9b5c0 102->140 103->104 107 4d9c199 104->107 108 4d9c19e-4d9c1c9 104->108 107->108 111 4d9c1cb-4d9c1e1 108->111 112 4d9c233-4d9c265 call 4d9a5a0 108->112 141 4d9c1e4 call 4d9b4e8 111->141 142 4d9c1e4 call 4d9b4e1 111->142 121 4d9c28e 112->121 122 4d9c267-4d9c283 112->122 113 4d9c046-4d9c066 116 4d9c068-4d9c084 113->116 117 4d9c08f 113->117 115 4d9c1e6-4d9c206 119 4d9c208-4d9c224 115->119 120 4d9c22f-4d9c231 115->120 116->117 117->101 119->120 123 4d9c28f-4d9c29e 120->123 121->123 122->121 149 4d9c2a1 call 4d9b769 123->149 150 4d9c2a1 call 4d9b770 123->150 128 4d9c2a3-4d9c2c3 131 4d9c2ec-4d9c3f5 128->131 132 4d9c2c5-4d9c2e1 128->132 132->131 137->71 138->71 139->113 140->113 141->115 142->115 143->95 144->95 145->80 146->80 147->82 148->82 149->128 150->128
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID: (
                    • API String ID: 963392458-3887548279
                    • Opcode ID: 041847bada5594bb17090d9a65111d3afae35fdd5329186959dcda6a7201be71
                    • Instruction ID: 8dbf2d7fd9dd35bb124089eeeb1df79531e426309680c82406eb08aaa97188c8
                    • Opcode Fuzzy Hash: 041847bada5594bb17090d9a65111d3afae35fdd5329186959dcda6a7201be71
                    • Instruction Fuzzy Hash: EA52D275E012698FEB64DF65C944BEDB7F2BF89300F1081EA9409AB291DB346E85CF50
                    Function 04D9B8D0 Relevance: .5, Instructions: 501COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: 6e9e99e9ee7d0e48b8de7e28fda247a16e50e00f1eb17af5a1c581c361f02c15
                    • Instruction ID: b854f09b134e715ae28c28d7ca16077d475cd6aa391a4d0e2dcf82d1acb1b73c
                    • Opcode Fuzzy Hash: 6e9e99e9ee7d0e48b8de7e28fda247a16e50e00f1eb17af5a1c581c361f02c15
                    • Instruction Fuzzy Hash: 6B32E471E012298FEB64DF65C944BEDBBF1BF89300F1481EA9109AB291DB746E85CF50
                    Function 04D9A6D0 Relevance: .3, Instructions: 260COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1a6da7d219f19decd80b508cc868ead3bde49e1435eb44a8f02623fc87217453
                    • Instruction ID: 5dbb7e7f2482f24ee0365b5d00e2258debb8d3388460640960e74f25239efb90
                    • Opcode Fuzzy Hash: 1a6da7d219f19decd80b508cc868ead3bde49e1435eb44a8f02623fc87217453
                    • Instruction Fuzzy Hash: C9817F35B002589BDB08AFB9985477EBBF3BFC9B00B15851DE446EB384DE359C058792
                    Function 00E8A690 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 151 e8a690-e8a69f 152 e8a6cb-e8a6cf 151->152 153 e8a6a1-e8a6ae call e886ac 151->153 154 e8a6d1-e8a6db 152->154 155 e8a6e3-e8a724 152->155 158 e8a6b0 153->158 159 e8a6c4 153->159 154->155 162 e8a731-e8a73f 155->162 163 e8a726-e8a72e 155->163 206 e8a6b6 call e8a928 158->206 207 e8a6b6 call e8a91b 158->207 159->152 165 e8a741-e8a746 162->165 166 e8a763-e8a765 162->166 163->162 164 e8a6bc-e8a6be 164->159 169 e8a800-e8a8c0 164->169 167 e8a748-e8a74f call e8a0bc 165->167 168 e8a751 165->168 170 e8a768-e8a76f 166->170 174 e8a753-e8a761 167->174 168->174 201 e8a8c8-e8a8f3 GetModuleHandleW 169->201 202 e8a8c2-e8a8c5 169->202 172 e8a77c-e8a783 170->172 173 e8a771-e8a779 170->173 176 e8a790-e8a799 call e8a0cc 172->176 177 e8a785-e8a78d 172->177 173->172 174->170 182 e8a79b-e8a7a3 176->182 183 e8a7a6-e8a7ab 176->183 177->176 182->183 185 e8a7c9-e8a7d6 183->185 186 e8a7ad-e8a7b4 183->186 192 e8a7d8-e8a7f6 185->192 193 e8a7f9-e8a7ff 185->193 186->185 187 e8a7b6-e8a7c6 call e8a0dc call e8a0ec 186->187 187->185 192->193 203 e8a8fc-e8a910 201->203 204 e8a8f5-e8a8fb 201->204 202->201 204->203 206->164 207->164
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00E8A8E6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2109640579.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 2c162b85941bc2ac0106ecfc96ecb114432ad78bba981ccd25571f68388f09b1
                    • Instruction ID: 11a8c8a0d8c32cb01d9a60d15d598ba047428363ef52787743c7b137d53cb850
                    • Opcode Fuzzy Hash: 2c162b85941bc2ac0106ecfc96ecb114432ad78bba981ccd25571f68388f09b1
                    • Instruction Fuzzy Hash: B3714670A00B058FEB24EF29D05475ABBF1FF88304F14892ED54AE7A50DB35E945CB92
                    Function 04D9A564 Relevance: 1.6, APIs: 1, Instructions: 140processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 208 4d9a564-4d9c489 210 4d9c48b-4d9c48e 208->210 211 4d9c491-4d9c498 208->211 210->211 212 4d9c49a-4d9c4a0 211->212 213 4d9c4a3-4d9c4b9 211->213 212->213 214 4d9c4bb-4d9c4c1 213->214 215 4d9c4c4-4d9c55f CreateProcessW 213->215 214->215 217 4d9c568-4d9c5dc 215->217 218 4d9c561-4d9c567 215->218 226 4d9c5ee-4d9c5f5 217->226 227 4d9c5de-4d9c5e4 217->227 218->217 228 4d9c60c 226->228 229 4d9c5f7-4d9c606 226->229 227->226 230 4d9c60d 228->230 229->228 230->230
                    APIs
                    • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,00000000,?), ref: 04D9C54C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: eb24bba2ec2c84d633e892470517eec450d39f58afa93aff8ac0bd41c791891f
                    • Instruction ID: f671a4a42b97ba1610402783847b0c768255c5fc5d6f7ea72503715960dcf814
                    • Opcode Fuzzy Hash: eb24bba2ec2c84d633e892470517eec450d39f58afa93aff8ac0bd41c791891f
                    • Instruction Fuzzy Hash: 6D512571901329DFDF20CF99C944BDDBBB2BF49700F0080AAE948A7250D771AA84CF51
                    Function 04D9C404 Relevance: 1.6, APIs: 1, Instructions: 139processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 232 4d9c404-4d9c489 233 4d9c48b-4d9c48e 232->233 234 4d9c491-4d9c498 232->234 233->234 235 4d9c49a-4d9c4a0 234->235 236 4d9c4a3-4d9c4b9 234->236 235->236 237 4d9c4bb-4d9c4c1 236->237 238 4d9c4c4-4d9c55f CreateProcessW 236->238 237->238 240 4d9c568-4d9c5dc 238->240 241 4d9c561-4d9c567 238->241 249 4d9c5ee-4d9c5f5 240->249 250 4d9c5de-4d9c5e4 240->250 241->240 251 4d9c60c 249->251 252 4d9c5f7-4d9c606 249->252 250->249 253 4d9c60d 251->253 252->251 253->253
                    APIs
                    • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,00000000,?), ref: 04D9C54C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: c0248db5edee9907ae4c5078ae2e5997f8e9bce764b2f3e0d2baa1f46ee06123
                    • Instruction ID: 938f2f81f7252522452ae2cd596d3e73b41ee391772bb1fc0914a62bc8c17800
                    • Opcode Fuzzy Hash: c0248db5edee9907ae4c5078ae2e5997f8e9bce764b2f3e0d2baa1f46ee06123
                    • Instruction Fuzzy Hash: 1D511471901329DFDF20CFA9C944BDDBBB2BF49710F10809AE908A7250DB71AA84CF51
                    Function 04D93EC0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 255 4d93ec0-4d93efc 256 4d93fac-4d93fcc 255->256 257 4d93f02-4d93f07 255->257 264 4d93fcf-4d93fdc 256->264 258 4d93f09-4d93f40 257->258 259 4d93f5a-4d93f92 CallWindowProcW 257->259 265 4d93f49-4d93f58 258->265 266 4d93f42-4d93f48 258->266 260 4d93f9b-4d93faa 259->260 261 4d93f94-4d93f9a 259->261 260->264 261->260 265->264 266->265
                    APIs
                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 04D93F81
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: CallProcWindow
                    • String ID:
                    • API String ID: 2714655100-0
                    • Opcode ID: 68541c28ed2be7ce4664d216013d9c8b7e88fc59d6b06ee74f786ed8eaa562b5
                    • Instruction ID: 4928f83fb7b328636721e5281a76e7fa6c688a5d9a33084b9d119b349ee71ba4
                    • Opcode Fuzzy Hash: 68541c28ed2be7ce4664d216013d9c8b7e88fc59d6b06ee74f786ed8eaa562b5
                    • Instruction Fuzzy Hash: 0241F7B5900309DFDB14CF99C448AAABBF5FB88314F248459E519AB321D774A841CFA1
                    Function 04D9B5B8 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 269 4d9b5b8-4d9b60e 272 4d9b61e-4d9b65d WriteProcessMemory 269->272 273 4d9b610-4d9b61c 269->273 275 4d9b65f-4d9b665 272->275 276 4d9b666-4d9b696 272->276 273->272 275->276
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04D9B650
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: e2f4cf8df882ea6ef8a17e86763faed0bc851f2689c1c42321a66264f744fa48
                    • Instruction ID: c7a4166473c26af5170f0956b2c6e50ee6c0af437b0a5afe6278fea6a40745d2
                    • Opcode Fuzzy Hash: e2f4cf8df882ea6ef8a17e86763faed0bc851f2689c1c42321a66264f744fa48
                    • Instruction Fuzzy Hash: 3B21F7719003499FDF10CFA9D885BEEBBF5BF48310F14842AE558A7240D778A954CB65
                    Function 04D9B5C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 280 4d9b5c0-4d9b60e 282 4d9b61e-4d9b65d WriteProcessMemory 280->282 283 4d9b610-4d9b61c 280->283 285 4d9b65f-4d9b665 282->285 286 4d9b666-4d9b696 282->286 283->282 285->286
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04D9B650
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 3b88a1a114b9713c985a15dc1ca2494199cee3e1ded02ba8406ec40de23d92ba
                    • Instruction ID: 0b9c2505c644f5ecb685a252a7b9c8c980c156d4cd72ec2be38bf2ab47f692ac
                    • Opcode Fuzzy Hash: 3b88a1a114b9713c985a15dc1ca2494199cee3e1ded02ba8406ec40de23d92ba
                    • Instruction Fuzzy Hash: 9C2102719003499FDF10CFAAD881BEEBBF5BF48310F10842AE918A7240C778A954CBA5
                    Function 00E8CB58 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 290 e8cb58-e8cbf4 DuplicateHandle 291 e8cbfd-e8cc1a 290->291 292 e8cbf6-e8cbfc 290->292 292->291
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E8CB26,?,?,?,?,?), ref: 00E8CBE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2109640579.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 0b25ed859cdf54c5726f80c75404e28a956652f69d7f3103c0e01587c43af59d
                    • Instruction ID: 33b984a4b076a054faf2926cec436b7df350ab5c78877d0ff56806af81c7ddfe
                    • Opcode Fuzzy Hash: 0b25ed859cdf54c5726f80c75404e28a956652f69d7f3103c0e01587c43af59d
                    • Instruction Fuzzy Hash: 662116B5D00249EFDB10CFAAD985ADEBBF5EB49720F24841AE918B3310C3789944CF61
                    Function 00E8BDE0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 295 e8bde0-e8cbf4 DuplicateHandle 297 e8cbfd-e8cc1a 295->297 298 e8cbf6-e8cbfc 295->298 298->297
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E8CB26,?,?,?,?,?), ref: 00E8CBE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2109640579.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 9e65ebe67c64b356707d4675e42d8a85e17faac6f24e5c75d3cacb53295ba2de
                    • Instruction ID: 630cff493a1968c556db8a5147c4c0b239faab35acbc54cc27a64105e516309f
                    • Opcode Fuzzy Hash: 9e65ebe67c64b356707d4675e42d8a85e17faac6f24e5c75d3cacb53295ba2de
                    • Instruction Fuzzy Hash: E52105B5D00649DFDB10CFAAD885ADEBBF4EB49310F20841AE918B3350C374A944CFA5
                    Function 04D9B4E1 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 301 4d9b4e1-4d9b533 304 4d9b543-4d9b573 Wow64SetThreadContext 301->304 305 4d9b535-4d9b541 301->305 307 4d9b57c-4d9b5ac 304->307 308 4d9b575-4d9b57b 304->308 305->304 308->307
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04D9B566
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: e54e25eb8211b2b46e4c9cda3aa49a7644e89129bdaac03af8624f7909c4cc65
                    • Instruction ID: 228cee84d552057d33a38ebcf9183d1d40a0a0f2e718d9a340677d9af6e5c3eb
                    • Opcode Fuzzy Hash: e54e25eb8211b2b46e4c9cda3aa49a7644e89129bdaac03af8624f7909c4cc65
                    • Instruction Fuzzy Hash: C3213771D003099FEB50DFAAD4857AEBBF4FF89320F54842AD519A7240CB78A944CFA5
                    Function 04D9B4E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 312 4d9b4e8-4d9b533 314 4d9b543-4d9b573 Wow64SetThreadContext 312->314 315 4d9b535-4d9b541 312->315 317 4d9b57c-4d9b5ac 314->317 318 4d9b575-4d9b57b 314->318 315->314 318->317
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04D9B566
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: c484b70063b50b9b78c6f31f432acc9147eda2a3686705d4bf1509621ae5f7fb
                    • Instruction ID: 1277ac7a628973b4d524b756a6247b4de27d55c676769cca207f561b04e6ef8f
                    • Opcode Fuzzy Hash: c484b70063b50b9b78c6f31f432acc9147eda2a3686705d4bf1509621ae5f7fb
                    • Instruction Fuzzy Hash: 1F213471D003098FEB50DFAAD4857AEBBF4BF88320F54842AD519A7240CB78A944CFA5
                    Function 04D9A588 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 322 4d9a588-4d9c776 ReadProcessMemory 324 4d9c778-4d9c77e 322->324 325 4d9c77f-4d9c7a0 322->325 324->325
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,00010002), ref: 04D9C769
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: 208ec46d02ce0b68b93332e48a46c5e8e725fae4d124e85c6bdbd973ce1ddb55
                    • Instruction ID: 68e35132170e10a99b51d79ffe6aade200eaeb443075518f62b9c3826f6e0232
                    • Opcode Fuzzy Hash: 208ec46d02ce0b68b93332e48a46c5e8e725fae4d124e85c6bdbd973ce1ddb55
                    • Instruction Fuzzy Hash: 6D2102B5900709DFDB10CF9AD984AEEBBF4FB09710F50842AE918A3240D378A944CBA5
                    Function 04D9A570 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 327 4d9a570-4d9c680 329 4d9c68c-4d9c6b8 Wow64GetThreadContext 327->329 330 4d9c682-4d9c68a 327->330 331 4d9c6ba-4d9c6c0 329->331 332 4d9c6c1-4d9c6e2 329->332 330->329 331->332
                    APIs
                    • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 04D9C6AB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 9f48b58c491f69a330f3a6b81b3d267c6c53a5291151be7e4c7b49b28068bb59
                    • Instruction ID: b7a5896af59f38e7aa266a10f1bc0a40dd2dd0ee611a14ab1e830bda62076274
                    • Opcode Fuzzy Hash: 9f48b58c491f69a330f3a6b81b3d267c6c53a5291151be7e4c7b49b28068bb59
                    • Instruction Fuzzy Hash: 371126B1D106098FDB10DF9AD844BEEBBF4EB88720F558029D418E3250D378A944CFA5
                    Function 04D9C6F3 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,00010002), ref: 04D9C769
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: 9515469553bbe037c89fbceb8f79c0f1118ea7544997f30aa95094023276a3e2
                    • Instruction ID: d4675763209896a08f56a6a7b06bcc4dc331d70803718aa0d3aafa307fef1144
                    • Opcode Fuzzy Hash: 9515469553bbe037c89fbceb8f79c0f1118ea7544997f30aa95094023276a3e2
                    • Instruction Fuzzy Hash: AE21E2B5800709DFDB10CF9AD984BDEBBF4FB49720F50842AE918A3250C378A944CBA5
                    Function 04D9C638 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 334 4d9c638-4d9c680 336 4d9c68c-4d9c6b8 Wow64GetThreadContext 334->336 337 4d9c682-4d9c68a 334->337 338 4d9c6ba-4d9c6c0 336->338 339 4d9c6c1-4d9c6e2 336->339 337->336 338->339
                    APIs
                    • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 04D9C6AB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: dd0f9cbfacd63485b6b0bef7153edd156b2421285721567efba0304815467d7f
                    • Instruction ID: 33f4c8b888ae4b0bdb6ba39933d45f5a415b67f6b9df4932558f0173ead2c6a6
                    • Opcode Fuzzy Hash: dd0f9cbfacd63485b6b0bef7153edd156b2421285721567efba0304815467d7f
                    • Instruction Fuzzy Hash: A81123B2D102099FDB10DF9AD849BDEBBF4EB88720F55802AD418A3250D378A545CFA5
                    Function 00E8A118 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E8A961,00000800,00000000,00000000), ref: 00E8AB72
                    Memory Dump Source
                    • Source File: 00000000.00000002.2109640579.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 0e5626af9fde9766cce4c97d2492d50115aedd1e349d6a890a7f39fbae6c87d7
                    • Instruction ID: a04fee5164e182c77197241d456366206f1936ec7ff6a8cfd8d2c449a6218b82
                    • Opcode Fuzzy Hash: 0e5626af9fde9766cce4c97d2492d50115aedd1e349d6a890a7f39fbae6c87d7
                    • Instruction Fuzzy Hash: 891103B6800349DFEB10DF9AD444A9EFBF5AB88360F14842AD519B7200C379A944CFA5
                    Function 04D9B6A8 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04D9B71E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: ee8505feadfe3226c966809a41d93f04f996f5faa40879725c03beb93882a9f4
                    • Instruction ID: 22c14abf49e17ee2fcad9965aa8973fc0a730c3925707c0886d04f47bbbc70b4
                    • Opcode Fuzzy Hash: ee8505feadfe3226c966809a41d93f04f996f5faa40879725c03beb93882a9f4
                    • Instruction Fuzzy Hash: 4C1103729003499FDF10DFAAE845BEEBBF5AF88320F24841AE555A7250C775A940CBA1
                    Function 00E8AB00 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E8A961,00000800,00000000,00000000), ref: 00E8AB72
                    Memory Dump Source
                    • Source File: 00000000.00000002.2109640579.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: f91f3a8c6e02001f5cc696d1ac518c7049e1c094514099bc373f7f7423061608
                    • Instruction ID: 45aeb61d22b2d8fc0126c76d51f320d94fdbdbd9b674ffeffadd341bdc218865
                    • Opcode Fuzzy Hash: f91f3a8c6e02001f5cc696d1ac518c7049e1c094514099bc373f7f7423061608
                    • Instruction Fuzzy Hash: 511114B6D00349CFEB10DF9AD444A9EFBF5AB48310F14842AD529B7640C379A545CFA5
                    Function 04D9B6B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04D9B71E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 0d27df32e43d15b309062c3ab4df5cb534980ce4f21d2b20b63eeac68e7b32b9
                    • Instruction ID: b03f4faafdbc1a10c8f4ddee4fa6142bca9eadf5627dcf065536c901ed200609
                    • Opcode Fuzzy Hash: 0d27df32e43d15b309062c3ab4df5cb534980ce4f21d2b20b63eeac68e7b32b9
                    • Instruction Fuzzy Hash: 34111471800349DFDF10DFAAD845BEEBBF5AF88720F24841AE515A7250C775A940CBA5
                    Function 04D9B769 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 4bb20e60fc551d32294fc786e137f49de898e3af721cabe2046516faa7d4a501
                    • Instruction ID: 7ea54e2586c719f48f007f633af3400172d9b48d606e8b7874c4fe47f23965e3
                    • Opcode Fuzzy Hash: 4bb20e60fc551d32294fc786e137f49de898e3af721cabe2046516faa7d4a501
                    • Instruction Fuzzy Hash: 561128B1D003498FDB10DFAAD4457AEFBF5AF88720F24841AD519A7240CB79A944CBA5
                    Function 04D9B770 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: c5a59ab93e3aa315afaa8c6a2168ebed6d961ccda0b0351a070f7ee65fe2fb08
                    • Instruction ID: e7344af0fcf2c913df7c52045affe1adcf05ee4c86e2bd7a19079df1440a426d
                    • Opcode Fuzzy Hash: c5a59ab93e3aa315afaa8c6a2168ebed6d961ccda0b0351a070f7ee65fe2fb08
                    • Instruction Fuzzy Hash: EE112571D003498FEB10DFAAD4457AEFBF5AF88720F24841AD519A7240CB79A944CBA5
                    Function 00E8A880 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00E8A8E6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2109640579.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: ac511a7912ab8155a6698f925f313c8569b5e219b8fb4f33d6eecae5d8ae6d8c
                    • Instruction ID: 44d329968ea45de44c07e29b61bef07c4d0ef314cb303c8ad98d8b91eddedccd
                    • Opcode Fuzzy Hash: ac511a7912ab8155a6698f925f313c8569b5e219b8fb4f33d6eecae5d8ae6d8c
                    • Instruction Fuzzy Hash: 18110FB5C00749CFDB14DF9AD444A9EFBF4EB88324F14842AD428B7200C379A545CFA2
                    Function 00CED01C Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2109387623.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ced000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2cbef50d45eaefcb6410235f3a3b98c418029b84f41859f5e7ddd1d18e8752d6
                    • Instruction ID: bc9d95e6fe90199e2083a6880d3ae510409e545fbe2e2bd1a26b6dfd20d93906
                    • Opcode Fuzzy Hash: 2cbef50d45eaefcb6410235f3a3b98c418029b84f41859f5e7ddd1d18e8752d6
                    • Instruction Fuzzy Hash: 55210471604384EFDB14DF25D9C0B26BB65FB84314F28C56DE90A4B286C33BD847CA62
                    Function 00CED1EC Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2109387623.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ced000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 97703cd654145f01720758ef2382c540753efb0e3f6fd3a61d65e750bd58baa9
                    • Instruction ID: 5b7ef03277a610e9e3de0671b439185f575486d4d5b731851a0100643294abec
                    • Opcode Fuzzy Hash: 97703cd654145f01720758ef2382c540753efb0e3f6fd3a61d65e750bd58baa9
                    • Instruction Fuzzy Hash: DF210475604384EFDB04DF25D5C0B26BB65FB88314F20C5ADEA0A4B292C37ADC46CAA1
                    Function 00CED005 Relevance: .1, Instructions: 62COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2109387623.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ced000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 678891d28653862567ae0ceb71cb73d57bdf05cb679451b955696aa5e9e7aedd
                    • Instruction ID: 0a4481da1b64f043e059b010b3bd970eace6e344430ccd6dffd2d5b09b5ad13b
                    • Opcode Fuzzy Hash: 678891d28653862567ae0ceb71cb73d57bdf05cb679451b955696aa5e9e7aedd
                    • Instruction Fuzzy Hash: 43219F755093C09FCB02CF20D990715BF71EB46314F28C5EAD8498F2A7C33A980ACB62
                    Function 00CED1E7 Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2109387623.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ced000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                    • Instruction ID: 9fc81b7c480f7b808f90f8de8d411734cbf12f4ca93fe2fc825d878636d318f4
                    • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                    • Instruction Fuzzy Hash: B7119D75904284DFCB05CF50D5C4B15FFA2FB88314F24C6A9D94A4B656C33AD94ACFA2

                    Non-executed Functions

                    Function 04D90040 Relevance: .3, Instructions: 315COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: db73f8ada3d30dda25f447b4257b27a6734bef7736d6669e331f7ec1a69c83d3
                    • Instruction ID: 66796fe064deae8827301015956a58ac454742f136b18fe343551f4eff477db3
                    • Opcode Fuzzy Hash: db73f8ada3d30dda25f447b4257b27a6734bef7736d6669e331f7ec1a69c83d3
                    • Instruction Fuzzy Hash: CF1288B9C827468BD310CF66E98C1893BF1BB65318BD0CB1AD2615F2E1DBB4156ACF44
                    Function 00E8D3DC Relevance: .3, Instructions: 264COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2109640579.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ccae06d8924ba70ec56dc5c225c68d297a85b189b6accab21c0a3a1b64aaada8
                    • Instruction ID: 37224af8b9708a6e1b99648b7736fa9f55e0f85d7c98ccc7904b3cc9b372f215
                    • Opcode Fuzzy Hash: ccae06d8924ba70ec56dc5c225c68d297a85b189b6accab21c0a3a1b64aaada8
                    • Instruction Fuzzy Hash: 65A14932E002198FCF19EFA4C84459EB7F2FF85304B15956AE81ABB265DB31E915CB90
                    Function 04D90007 Relevance: .2, Instructions: 244COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2110722700.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4d90000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 467e2011175d3ab399c6272905663c0250ffa2f7fd348d98008a138ddb9f3657
                    • Instruction ID: 3bdeb6003d650d9e019eea35e661634f2d68bf5c0a42797c25f59c059e8ec9e1
                    • Opcode Fuzzy Hash: 467e2011175d3ab399c6272905663c0250ffa2f7fd348d98008a138ddb9f3657
                    • Instruction Fuzzy Hash: 84C13BB8C827468FD310CF66E8881893BF1FFA5314B918B1BD1616B2D1DBB8156ACF44
                    Function 00E82560 Relevance: .1, Instructions: 103COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2109640579.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e80000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3262a5f5dc16338da0226749e7f1d1daa890d6169ba78d710fc4888ad2e500d8
                    • Instruction ID: 45a3bd3d3c9dce47ca30e8e0d886c034fa748ba91145db8ee972c6fe3e9b9d15
                    • Opcode Fuzzy Hash: 3262a5f5dc16338da0226749e7f1d1daa890d6169ba78d710fc4888ad2e500d8
                    • Instruction Fuzzy Hash: 04312D62498654CBD732377A08751D01F50D6AB31C74472CEC37CB65E3E4990847D363

                    Executed Functions

                    Function 00A098B8 Relevance: .9, Instructions: 860COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 38aa8753ec04d5777be03629f47d069f102a19a40f5255309dcccfbbb97be5c3
                    • Instruction ID: f0bcab5390838d020c067f66168a5e4fe755f2dabcba92cca8f595c361e03e1c
                    • Opcode Fuzzy Hash: 38aa8753ec04d5777be03629f47d069f102a19a40f5255309dcccfbbb97be5c3
                    • Instruction Fuzzy Hash: 40728E71A0020DDFCB15CF68E984AAEBBF2FF99300F158569E8069B2A1D731ED51CB51
                    Function 00A06168 Relevance: .5, Instructions: 515COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 566dabe382ce121fd781bc2dc8afb08d33a68b85f375070b243823e6e07f7b0e
                    • Instruction ID: 75061e2ec8d5d5790dbbdc1405291fbce80ee6e24c6e0ceaf1cd9445151ed85c
                    • Opcode Fuzzy Hash: 566dabe382ce121fd781bc2dc8afb08d33a68b85f375070b243823e6e07f7b0e
                    • Instruction Fuzzy Hash: 6C128B70A002199FDB18DF69D854BAEBBF6FF89304F208529E406DB395DB349D51CB90
                    Function 00A06790 Relevance: .4, Instructions: 450COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3dcad673e0b013ab2a71d41f5348ae44c07a80a7f5bc8083d6a8feac94d5cf65
                    • Instruction ID: 6cea3f53a3b57b122c6af0e1f21928ea4071febd370c1e8ae704cf8f3eb22317
                    • Opcode Fuzzy Hash: 3dcad673e0b013ab2a71d41f5348ae44c07a80a7f5bc8083d6a8feac94d5cf65
                    • Instruction Fuzzy Hash: 71025B70A0021DDFDB14CFA9E984AADBBF6FF89308F158069E445AB2A1D731DC65CB50
                    Function 00A035C8 Relevance: .4, Instructions: 420COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e215f538c6213fcf0fbb1b67979c4d535c2c22c47ae7450ab47268aaa08db681
                    • Instruction ID: 1c5eeb8e77cf5f5ced10625894dc39e997eb6cccda19962786c34422156b35ab
                    • Opcode Fuzzy Hash: e215f538c6213fcf0fbb1b67979c4d535c2c22c47ae7450ab47268aaa08db681
                    • Instruction Fuzzy Hash: ABF1AE75E042489FDB08DFB9E8546AEBBB6BF89310B14846EE406E7395CF309C06DB50
                    Function 00A0B388 Relevance: .3, Instructions: 349COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5ebce55b71a9b516241ab1f7e2a8aca3611e4bc02dcc5ee9549e8ee85a8fbd78
                    • Instruction ID: 02cf27c2605c05a1dc1ab9e15da77099d3ae13802602128356109cf4cf87351b
                    • Opcode Fuzzy Hash: 5ebce55b71a9b516241ab1f7e2a8aca3611e4bc02dcc5ee9549e8ee85a8fbd78
                    • Instruction Fuzzy Hash: A5E1FC75E10218CFDB14CFA9D994A9DBBB1FF49310F1580A9E819AB3A2D731AD41CF60
                    Function 00A0CA91 Relevance: .2, Instructions: 190COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 44375990ce4e570037b6f9bd9e82d62599192ecce2732558310902d146b4fcf4
                    • Instruction ID: f59b78c0607bda9362c9eb478a47f852597a2cca52371a1a879272b22ba16d2b
                    • Opcode Fuzzy Hash: 44375990ce4e570037b6f9bd9e82d62599192ecce2732558310902d146b4fcf4
                    • Instruction Fuzzy Hash: D691C374E00218DFEB14DFA9D894A9DBBF2BF89310F14C16AE809AB365DB309945CF50
                    Function 00A0BC32 Relevance: .2, Instructions: 187COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0d9b1941a5077c2e5c6e20e310691ea0d2a2814532f2177b82658205f75123d3
                    • Instruction ID: 80c37c6e20be0625d24471bb035031af5d24a0c0f9a1d0a8199826aaa0cb1788
                    • Opcode Fuzzy Hash: 0d9b1941a5077c2e5c6e20e310691ea0d2a2814532f2177b82658205f75123d3
                    • Instruction Fuzzy Hash: E681C574E10218DFDB14DFA9D984A9DBBF2FF88300F148069E419AB3A5DB309946CF50
                    Function 00A0C7B1 Relevance: .2, Instructions: 186COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f8fe93b5505b4cfd263248f4d4bda2ba231d72a4762258f734dd2f03efbe9dfb
                    • Instruction ID: 3565a9a98107901ce1a66b39c6ba0d7f359cf92246f173fd1a950094c5ed25e3
                    • Opcode Fuzzy Hash: f8fe93b5505b4cfd263248f4d4bda2ba231d72a4762258f734dd2f03efbe9dfb
                    • Instruction Fuzzy Hash: A381B274E0021CDFDB14DFAAD984A9DBBF2BF88310F248169E819AB365DB305945CF50
                    Function 00A04B31 Relevance: .2, Instructions: 186COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4b19a4032902d7c9f3429fb08e502cbf1d553e9ec82f51fd2b6d613f58edc6bd
                    • Instruction ID: 00f141e8f822db77aa49a4c73437e69c5c871efb18773c4716f12e94dd0696e2
                    • Opcode Fuzzy Hash: 4b19a4032902d7c9f3429fb08e502cbf1d553e9ec82f51fd2b6d613f58edc6bd
                    • Instruction Fuzzy Hash: 4B81B274E00218DFEB14DFAAD984A9DBBF2BF88300F148069E919AB365DB349945CF50
                    Function 00A0BF10 Relevance: .2, Instructions: 186COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 26914aa836610e7fa07933a1f2b28b1ed681a6944787474d3c1a1e897815d0ce
                    • Instruction ID: 8f78773218a3c7421940c0d4eeb46b836149966d4b17f4a7623a0073f9eb4d00
                    • Opcode Fuzzy Hash: 26914aa836610e7fa07933a1f2b28b1ed681a6944787474d3c1a1e897815d0ce
                    • Instruction Fuzzy Hash: A781B374E00258DFDB14DFA9D984A9DBBF2BF89310F14C169E409AB365DB309986CF50
                    Function 00A0C1F0 Relevance: .2, Instructions: 185COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1cb1ab980f38fcd7a49277db1940b3192c99a23bfe8706f11d4070ec9b44ccd6
                    • Instruction ID: c544dfca3adab87d4e6cae12035a8b129f72a48026b27d44933d2850135a0967
                    • Opcode Fuzzy Hash: 1cb1ab980f38fcd7a49277db1940b3192c99a23bfe8706f11d4070ec9b44ccd6
                    • Instruction Fuzzy Hash: E881B174E00218DFDB14DFAAD894A9DBBF2BF88310F24C169E819AB265DB309945CF51
                    Function 00A0C4D0 Relevance: .2, Instructions: 185COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 48d8397dab8582406b7ae04787f08c7c33004fb6c205e49eb2b4853088e1c549
                    • Instruction ID: 90a2e675b33db4bdd860a6480551c6644ff77e6216ede5befba67295e958d61e
                    • Opcode Fuzzy Hash: 48d8397dab8582406b7ae04787f08c7c33004fb6c205e49eb2b4853088e1c549
                    • Instruction Fuzzy Hash: A181B074E00218DFDB14DFAAD984A9DBBF2FF88310F24D169E809AB265DB349945CF50
                    Function 00A0B552 Relevance: .2, Instructions: 151COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2099d4ddc70445a36ccc4fd814f4b1b875c5dd1e541d9ada96b5a4127283d9c0
                    • Instruction ID: a57883371713bf3254b03637093368d3d061171caf114da9b72374ebd9683f1c
                    • Opcode Fuzzy Hash: 2099d4ddc70445a36ccc4fd814f4b1b875c5dd1e541d9ada96b5a4127283d9c0
                    • Instruction Fuzzy Hash: EB61B274E00608DFDB14DFAAD984A9DBBF2FF89300F248069E419AB365DB355946CF50
                    Function 00A07850 Relevance: .7, Instructions: 697COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0a5dff28df4d91ee61cf639bdfba291e88039c95cc504def2b7decbc52f0ac7c
                    • Instruction ID: 6bcb7764665d9bb9ed48bdd72514c9ac2dd523444b66b6c2bfb0c87288526ec5
                    • Opcode Fuzzy Hash: 0a5dff28df4d91ee61cf639bdfba291e88039c95cc504def2b7decbc52f0ac7c
                    • Instruction Fuzzy Hash: 42523234A0025CCFEB14DBA4C860BAEBB76FF89701F1080AAD2466B395CF355E859F55
                    Function 00A021A8 Relevance: .7, Instructions: 678COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 71d553bce084ad223a1e650cfdad923e14966c4636f7bd02e0689d8420a7d7bc
                    • Instruction ID: 30816ab509fe78769247422f9ad702739535d56e6ddf3ece5360a67d414ad2ab
                    • Opcode Fuzzy Hash: 71d553bce084ad223a1e650cfdad923e14966c4636f7bd02e0689d8420a7d7bc
                    • Instruction Fuzzy Hash: 2952E46594D3C84EDB234B78A8BC3EA7F71AF5B200B1A19DFC4D24F2A7DA601446D712
                    Function 00A06EB8 Relevance: .5, Instructions: 477COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 12796795d2d6465243275b713d97f2683da37e920dda5f1610ea2676b944a84c
                    • Instruction ID: 523dad06bf0a3f1439a8e4b169ee6d8b107f292bba863429b31f776d2940d296
                    • Opcode Fuzzy Hash: 12796795d2d6465243275b713d97f2683da37e920dda5f1610ea2676b944a84c
                    • Instruction Fuzzy Hash: E0125A30A04249CFCB15CF69E994AAEBBF2FF49314F148599E8499B2A1D731FD41CB90
                    Function 00A00C8F Relevance: .4, Instructions: 418COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 845e402b1d72dd4fdca0f7357a1a0b4b02cfb588865b13e54354a6873f66c4a1
                    • Instruction ID: e69d769cccd4f0a216a2e6d287258171f59ffcff7a68c9139cc733b57fe185c6
                    • Opcode Fuzzy Hash: 845e402b1d72dd4fdca0f7357a1a0b4b02cfb588865b13e54354a6873f66c4a1
                    • Instruction Fuzzy Hash: 8532FA74A40219DFCB54EF64E894E9DBBB5FF8A300F1185AAD409A7368DB305D4ADF80
                    Function 00A0A8AF Relevance: .4, Instructions: 410COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a4e67b10aa0b2e3dd8067290264a78cd02085b6cfea66d6a3dded52bc65c51bb
                    • Instruction ID: a54eb0a2555f9146bbbcf42a681e3bf15e4a092bab9cbb8108d3a64a47397ebf
                    • Opcode Fuzzy Hash: a4e67b10aa0b2e3dd8067290264a78cd02085b6cfea66d6a3dded52bc65c51bb
                    • Instruction Fuzzy Hash: D1F12A71E00618CFDB04CFA9D584AADBBF6FF99311B168099E419AB3A1C735EC81CB51
                    Function 00A00CA0 Relevance: .4, Instructions: 410COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: aa96974d4b2de60b44f9b9c8b6859d646151fb47ada2131438c47d95bac0e190
                    • Instruction ID: eb902cfa2c3306c1faabf8f38a09dc7204bbfac76f928cb96be2b6de2c6c3dae
                    • Opcode Fuzzy Hash: aa96974d4b2de60b44f9b9c8b6859d646151fb47ada2131438c47d95bac0e190
                    • Instruction Fuzzy Hash: D522EB74A00219DFDB54EF64E894E9DBBB5FF8A300F1185AAD409A7368DB305D4ADF80
                    Function 00A08849 Relevance: .3, Instructions: 332COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bb0b9f6fe9ac364eddcd1e69da0e2118af59aa67f5b0ee440a79ce9d406a349a
                    • Instruction ID: 0a19b466a311c086c919b45e169362fc7abd467afd16fd9a83c791132e5345d1
                    • Opcode Fuzzy Hash: bb0b9f6fe9ac364eddcd1e69da0e2118af59aa67f5b0ee440a79ce9d406a349a
                    • Instruction Fuzzy Hash: 88B180707042098FEB155F28E958B3D37A9EF95780F1504AAE182CF3E1EE2DCC519B59
                    Function 00A05700 Relevance: .3, Instructions: 326COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3086abd5452e3f304ab067d27b636e74a585e02b0bca6500d819cbe359c6e90e
                    • Instruction ID: af918643851bc42e3f0bb0a245f80bf452590db275bc4e9ab564c1c25ffd4ebe
                    • Opcode Fuzzy Hash: 3086abd5452e3f304ab067d27b636e74a585e02b0bca6500d819cbe359c6e90e
                    • Instruction Fuzzy Hash: 5BB1CC70B046089FDB159B38E898B6B7BE6EF89350F148929E846CB2D1DB35CC41DF91
                    Function 00A05C60 Relevance: .2, Instructions: 230COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 29e3a843efb7c95d64be3780410f9c7db6e17b8d7794e4aaa3593ee7dd8df3f5
                    • Instruction ID: 73486b60325c6619fbc43b7e36bbe3e4b229c5d463c3f978ac88b46b00ce01ef
                    • Opcode Fuzzy Hash: 29e3a843efb7c95d64be3780410f9c7db6e17b8d7794e4aaa3593ee7dd8df3f5
                    • Instruction Fuzzy Hash: 3E815C34E009098FDB18CF79E488AABB7B2BF89304B65816AD405DB3A5D731ED41CF91
                    Function 00A07498 Relevance: .2, Instructions: 201COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 16be0a8826e76bc51d1e92f5f15b6f38ca3229e00e30d7ad5d64adef313b8ecf
                    • Instruction ID: ed9166965324d6f4fbeabf7e5bcbad8027d29b4d945bdba6ed0abed85e3ae4cc
                    • Opcode Fuzzy Hash: 16be0a8826e76bc51d1e92f5f15b6f38ca3229e00e30d7ad5d64adef313b8ecf
                    • Instruction Fuzzy Hash: 2F710C34B046098FCB15DF28D894AAD7BEAAF49710F1944A9E406CB3B1DB76EC51CB90
                    Function 00A0D3C1 Relevance: .2, Instructions: 172COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4b3c1b5a9656fc77603695d47108559ff28a4beba3dc2b183ea6c8524a8635a4
                    • Instruction ID: bc777d56a0328d3044b4d929035d2d2fb46df9c11a4127d5fbf50de1ff893ca4
                    • Opcode Fuzzy Hash: 4b3c1b5a9656fc77603695d47108559ff28a4beba3dc2b183ea6c8524a8635a4
                    • Instruction Fuzzy Hash: 0651B2B18A574A8FD3103F34BAAE13B7B78FB0F723B41AC10E15E85455CB7204A5CA11
                    Function 00A0D3D0 Relevance: .2, Instructions: 167COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 30372da894f9a99452671f5bf41eedacd16fb02914f9a3e21bb628b0ec038bf4
                    • Instruction ID: 49298b2d39b8b502258940e5cb341ea9e7439e81a3c80640f0493f30aea897ce
                    • Opcode Fuzzy Hash: 30372da894f9a99452671f5bf41eedacd16fb02914f9a3e21bb628b0ec038bf4
                    • Instruction Fuzzy Hash: 995181B18A574ACFD3103F34B6AE13B7BB8FB0F727B81AD10E11E854559B7204A5CA15
                    Function 00A0CD70 Relevance: .1, Instructions: 139COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fe1d683917ab9acdb2bab6c6e5c6411dcc7409c803d98dc7358f34e94213ac78
                    • Instruction ID: 6159e2951ad266e6717484f3c747c5866b0d06325f7d6ccd350d5f6577c2c54c
                    • Opcode Fuzzy Hash: fe1d683917ab9acdb2bab6c6e5c6411dcc7409c803d98dc7358f34e94213ac78
                    • Instruction Fuzzy Hash: 89519274E01208DFDB48DFA9D98499DBBF2FF89310F20816AE819AB365DB319905CF10
                    Function 00A03960 Relevance: .1, Instructions: 134COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 39e2df5855835398fd9b5da4aef2c0eb16f3ecf2a4fc0531e154686e82f5315a
                    • Instruction ID: 7efbb639f11adc497add7eea7437672471e1eed08add7c8dd1b19cca6122594e
                    • Opcode Fuzzy Hash: 39e2df5855835398fd9b5da4aef2c0eb16f3ecf2a4fc0531e154686e82f5315a
                    • Instruction Fuzzy Hash: B8518374E01208DFCB08DFA9E59499DBBB2FF8D310F209569E805AB364DB31A946DF50
                    Function 00A09AC3 Relevance: .1, Instructions: 125COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 683eb8fff1e4f92c3419833bc61aefbb58a26d3372955630d9db7eb2c61caeec
                    • Instruction ID: ec1a8b6a6a1cac1756e9b04f64fa21e26f1fdf75dee6486ecadcc5394d26f90f
                    • Opcode Fuzzy Hash: 683eb8fff1e4f92c3419833bc61aefbb58a26d3372955630d9db7eb2c61caeec
                    • Instruction Fuzzy Hash: CC41AF71A0424DDFDF15CFA5E844A9FBBB2EF4A310F048155E8159B2A2D331E951DB60
                    Function 00A0A6B0 Relevance: .1, Instructions: 124COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cd6d7d5600738cf2c6faff5254961ddc15682a98f2a1b0d6ed2cc6be29d1810e
                    • Instruction ID: 1c2ffc8399b8f722b1c2080ff2dd958b957ea852707dfd502bc7d58630a22602
                    • Opcode Fuzzy Hash: cd6d7d5600738cf2c6faff5254961ddc15682a98f2a1b0d6ed2cc6be29d1810e
                    • Instruction Fuzzy Hash: 2641BD76B002089FDB199B69D854AAE7BFAFFCD310F148469E906D7391DE319C02CB91
                    Function 00A04E20 Relevance: .1, Instructions: 101COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b9cd2ad03bca3cb382719d8876d7cc16cc145e5190fd8e5119b55145b23b822f
                    • Instruction ID: 08d2434f2b4f3ba02ab9d268ab5529bbf8976fddde1519f9a5208834a1acb6f7
                    • Opcode Fuzzy Hash: b9cd2ad03bca3cb382719d8876d7cc16cc145e5190fd8e5119b55145b23b822f
                    • Instruction Fuzzy Hash: E3318FB160410AAFCF059F68E854AAF7BBAFF8D300F104415FA058B294CB35CD61DBA1
                    Function 00A07730 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d77ebe4fc03fcbe8bd0060ac66f5d5cd44d48509b456166509dcbbdc966d07a4
                    • Instruction ID: 48e08a5a39e09e2cbc946c1a3b47899fd9b2a43c6cf4a6cb4772210815e5bd29
                    • Opcode Fuzzy Hash: d77ebe4fc03fcbe8bd0060ac66f5d5cd44d48509b456166509dcbbdc966d07a4
                    • Instruction Fuzzy Hash: F621D634F081044BEB151B39A898A7D37ABAFD9758B148479D902CB3D1DE35DC86E7C0
                    Function 00A07740 Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2b92987244db6fa05c31c5ca1bf4a5aac626ad14bfcdc8558b172b2f619234b1
                    • Instruction ID: 47909d2ae3402f70864485d7451bf11d4ebcd523d34d3658e14e950cca5e5190
                    • Opcode Fuzzy Hash: 2b92987244db6fa05c31c5ca1bf4a5aac626ad14bfcdc8558b172b2f619234b1
                    • Instruction Fuzzy Hash: 0021A134F081054BEB151B29A89877E769BAFD9758F248438D902CB3D4EE36DC86E7C0
                    Function 00A05AB8 Relevance: .1, Instructions: 78COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0f8740fd4774141347e61cb64989856db62777b74ed242a4fa5ac927d96a411a
                    • Instruction ID: cc39383e80a814eebcadfd252492748b26aabc3256ef46c6f2c661cda5901c36
                    • Opcode Fuzzy Hash: 0f8740fd4774141347e61cb64989856db62777b74ed242a4fa5ac927d96a411a
                    • Instruction Fuzzy Hash: D821D334B01A158FC7299B79E45492BB7A6FF8A750B15456AE806CF391DF31EC02CF80
                    Function 00A020B8 Relevance: .1, Instructions: 77COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 598fcedb57c089864e002ad2af2411a0497ba313fa7f55ba6d4cc2ba04ebcc3f
                    • Instruction ID: d76fa64565475bc7cf735dbe48456b5855aeee88a734ff81e6c29ed8d3b787e1
                    • Opcode Fuzzy Hash: 598fcedb57c089864e002ad2af2411a0497ba313fa7f55ba6d4cc2ba04ebcc3f
                    • Instruction Fuzzy Hash: E621C131A0024AAFCF14DF24D444ABE77A5EF99360F11C519E9099B390DB30EE46CB81
                    Function 00A0D611 Relevance: .1, Instructions: 77COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4c952e4fbedf55af4217d5425dabeb56d536e33f723805bb58a4c63f03ad466d
                    • Instruction ID: 6ff5e58d7a8939eaf00fc03b587eb79bee805416c5b92ff85fe55550d5878fd5
                    • Opcode Fuzzy Hash: 4c952e4fbedf55af4217d5425dabeb56d536e33f723805bb58a4c63f03ad466d
                    • Instruction Fuzzy Hash: E6211531D10259CECB11EFE8E8546ECFBB4FF4A301F10922AE45577294EB306A8ADB40
                    Function 00A0D70F Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: adc9e8c920a7cf1b9623ef2814c0f2eb1e5c8ac31596c1d44a26679163ad8ee5
                    • Instruction ID: c4f85370ac7bdc865d0239f355298bcf9d44ea598b60b22b05077a25ccf54bb8
                    • Opcode Fuzzy Hash: adc9e8c920a7cf1b9623ef2814c0f2eb1e5c8ac31596c1d44a26679163ad8ee5
                    • Instruction Fuzzy Hash: 6E216834A462088FCB05DFB4E840AEEB7B6FF8A300F105069C805B73A4CB359906CF24
                    Function 00A04E11 Relevance: .1, Instructions: 69COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 540ac6cd04c0a3fbbd734b0f583147de9c6877fc55db3d24e36a436064acf0ab
                    • Instruction ID: 6c3efcbf732647df5dcf96a20f7d0c1d41dcee0cbe3bc2bbd6a6d151cd7815b8
                    • Opcode Fuzzy Hash: 540ac6cd04c0a3fbbd734b0f583147de9c6877fc55db3d24e36a436064acf0ab
                    • Instruction Fuzzy Hash: 1C21CFB1A042499FCB159F68E454AAB3BB6FF89310F10446AFA058B291CB35CE56DB90
                    Function 00A0D720 Relevance: .1, Instructions: 64COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4661f1186482cc7ee637c606c8bbc95bb56610c6542f4d2fe0f6a1fceb985e05
                    • Instruction ID: 648dd8cc3ec00787cadba22973865b615efd0511e59ad194edae7dd7ca92bb04
                    • Opcode Fuzzy Hash: 4661f1186482cc7ee637c606c8bbc95bb56610c6542f4d2fe0f6a1fceb985e05
                    • Instruction Fuzzy Hash: A621F235A022098FCB04EFB4E840AEEB7B6FB89300F109529D405B73A4DB359946CF64
                    Function 00A05AC8 Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 811b337bca40160d44cd3a8e4cb3d2ce80ddf57e6744e9f7585a02115622d7e8
                    • Instruction ID: f88cea8d42223cefd6c08a8c7cccde0e6bb5fb138f061aaa254d6202688fc745
                    • Opcode Fuzzy Hash: 811b337bca40160d44cd3a8e4cb3d2ce80ddf57e6744e9f7585a02115622d7e8
                    • Instruction Fuzzy Hash: 9511C235B019168BC7199B39E85892BB7AAFF867517154569E806CB390DF21EC02CF80
                    Function 00A01FB8 Relevance: .1, Instructions: 58COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 446de035c838ef6f0ae653d3ad64479788910e481965e6e238b6b0c44d1acf4b
                    • Instruction ID: 8a02bb4e9b15814663dd742c237bfc519e79d6798eb0748ea2c41640b8746d19
                    • Opcode Fuzzy Hash: 446de035c838ef6f0ae653d3ad64479788910e481965e6e238b6b0c44d1acf4b
                    • Instruction Fuzzy Hash: 6521EEB4C0520A8FCB00EFA8D9955EEBBF4FF4A301F10556AD815B3260EB341A56CFA1
                    Function 00A0565F Relevance: .1, Instructions: 52COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 281ea35867f78613df50105e746c9fff7a21b22ab6220f53820fbc2415f4f662
                    • Instruction ID: f0d9436f91874b3bf67f6e219340508e703cc44dd658be03b8ca7f31e9a68b82
                    • Opcode Fuzzy Hash: 281ea35867f78613df50105e746c9fff7a21b22ab6220f53820fbc2415f4f662
                    • Instruction Fuzzy Hash: 9401D671B001085FCF068E7898106EF3FBBDFCA351B18806AF414CB281CA368D529B90
                    Function 00A02068 Relevance: .0, Instructions: 26COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6589dbab9058e1d3d95c2330405b6b0a4f8eb1c987ea6ef66b2ea3231635df4c
                    • Instruction ID: 3c71c3b0e354af1a2fb75f6b1ed9617cf448855cb5264b4d3911552aeeaf198f
                    • Opcode Fuzzy Hash: 6589dbab9058e1d3d95c2330405b6b0a4f8eb1c987ea6ef66b2ea3231635df4c
                    • Instruction Fuzzy Hash: C5E0D8319152D64EC71297B498540EEBF34EED7220B0546BBD8907B041EB34251FC761
                    Function 00A02078 Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 96bab5a188ee9a6bbc43e45246b3d9b1c08836d2c6e6bd0d9516049537eab417
                    • Instruction ID: 76d11c61ae604af78a2df147a7dd9ff603c47e304809cef8dd32cb21c2aae4f9
                    • Opcode Fuzzy Hash: 96bab5a188ee9a6bbc43e45246b3d9b1c08836d2c6e6bd0d9516049537eab417
                    • Instruction Fuzzy Hash: 16D05B31D2126B57CB00E7A5DC044EFF738EED5661B544626D51437140FB702659C7E1
                    Function 00A082B8 Relevance: .0, Instructions: 18COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                    • Instruction ID: b3e389353bdbf6eb8ca9f5683c15a005f7782aa419da7c9323451d0d1d5b602e
                    • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                    • Instruction Fuzzy Hash: 1AC08C7320C22C2AE234508E7C41EE3BB8CC3D57B4A210137FAACE7381AC469C8001F9
                    Function 00A0A76D Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 075d4fd5b99c16bf2509928d23ba0bfdc3483a91f10d07da7c15ae06225f9d7d
                    • Instruction ID: f5ddf51aff95ec921f8234037305f6a1fbad593c4c32733dde900ebfaa2c6784
                    • Opcode Fuzzy Hash: 075d4fd5b99c16bf2509928d23ba0bfdc3483a91f10d07da7c15ae06225f9d7d
                    • Instruction Fuzzy Hash: B4D067BBB411089FDF049F99EC409DDB7B6FB9C221B448516E915A3260C6319921DB60
                    Function 00A05F00 Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5a764bc47c3cab44c42ea8b454be31f397247cb7eabfabf6fd31c8b06857db5f
                    • Instruction ID: 740fafa5337760ab7a8cb6cbd669d730746dc0ed9d45e1c3942eca957c795b68
                    • Opcode Fuzzy Hash: 5a764bc47c3cab44c42ea8b454be31f397247cb7eabfabf6fd31c8b06857db5f
                    • Instruction Fuzzy Hash: 28D0C2304183469BDB02BB34F9205543F39AA86304B8001A7A8044D01BFA740949C792
                    Function 00A05F10 Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.3958156481.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_a00000_7vwfhMuUQg.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 691654f30ffc2dcb1555f9966506fdbd1236c776785af6fd39159345e0fb1c42
                    • Instruction ID: 968e1bc2ba04a3e9dab544a0c9c9ac90078c21ddf913e7a3e13539479d328f34
                    • Opcode Fuzzy Hash: 691654f30ffc2dcb1555f9966506fdbd1236c776785af6fd39159345e0fb1c42
                    • Instruction Fuzzy Hash: 48C0123052430A97DA01F775F955A953B3EFAC5300F405626B5094D129EF741A499691